Bruce Schneier

Last updated

Bruce Schneier
Bruce Schneier at CoPS2013-IMG 9174.jpg
Bruce Schneier at the Congress on Privacy & Surveillance (2013) of the École polytechnique fédérale de Lausanne (EPFL).
Born (1963-01-15) January 15, 1963 (age 59) [1]
Citizenship American
Alma mater
Known for Cryptography, security
Scientific career
Fields Computer science
Bruce Schneier-signature.jpg

Bruce Schneier ( /ˈʃn.ər/ ; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School [2] and a Fellow at the Berkman Klein Center for Internet & Society as of November, 2013. [3] He is a board member of the Electronic Frontier Foundation, Access Now, and The Tor Project; and an advisory board member of Electronic Privacy Information Center and He is the author of several books on general security topics, computer security and cryptography and is a squid enthusiast. [4]


In 2015, Schneier received the EPIC Lifetime Achievement Award from Electronic Privacy Information Center. [5]

Early life

Bruce Schneier is the son of Martin Schneier, a Brooklyn Supreme Court judge. He grew up in the Flatbush neighborhood of Brooklyn, New York, attending P.S. 139 and Hunter College High School. [6]

After receiving a physics bachelor's degree from the University of Rochester in 1984, [7] he went to American University in Washington, D.C. and got his master's degree in computer science in 1988. [8] He was awarded an honorary Ph.D from the University of Westminster in London, England in November 2011. The award was made by the Department of Electronics and Computer Science in recognition of Schneier's 'hard work and contribution to industry and public life'.

Schneier was a founder and chief technology officer of Counterpane Internet Security (now BT Managed Security Solutions). He worked for IBM once they acquired Resilient Systems where Schneier was CTO [9] [10] [11] until he left at the end of June 2019. [12]

Writings on computer security and general security

In 1991, Schneier was laid off from his job and started writing for computer magazines. Later he decided to write a book on applied cryptography "since no such book existed". He took his articles, wrote a proposal to John Wiley and they bought the proposal. [13]

In 1994, Schneier published Applied Cryptography, which details the design, use, and implementation of cryptographic algorithms.

This book allowed me to write more, to start consulting, to start my companies, and really launched me as an expert in this field, and it really was because no one else has written this book. I wanted to read it so I had to write it. And it happened in a really lucky time when everything started to explode on the Internet. [13]

In 2010 he published Cryptography Engineering, which is focused more on how to use cryptography in real systems and less on its internal design. He has also written books on security for a broader audience. In 2000, Schneier published Secrets and Lies: Digital Security in a Networked World; in 2003, Beyond Fear: Thinking Sensibly About Security in an Uncertain World ; in 2012, Liars and Outliers: Enabling the Trust that Society Needs to Thrive ; and in 2015, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. [14]

Schneier writes a freely available monthly Internet newsletter on computer and other security issues, Crypto-Gram, as well as a security weblog, Schneier on Security. [15] The blog focuses on the latest threats, and his own thoughts. The weblog started out as a way to publish essays before they appeared in Crypto-Gram, making it possible for others to comment on them while the stories were still current, but over time the newsletter became a monthly email version of the blog, re-edited and re-organized. [16] [ citation needed ] Schneier is frequently quoted in the press on computer and other security issues, pointing out flaws in security and cryptographic implementations ranging from biometrics to airline security after the September 11 attacks. [17]

Schneier revealed on his blog that in the December 2004 issue of the SIGCSE Bulletin, three Pakistani academics, Khawaja Amer Hayat, Umar Waqar Anis, and S. Tauseef-ur-Rehman, from the International Islamic University in Islamabad, Pakistan, plagiarized an article written by Schneier and got it published. [18] The same academics subsequently plagiarized another article by Ville Hallivuori on "Real-time Transport Protocol (RTP) security" as well. [18] Schneier complained to the editors of the periodical, which generated a minor controversy. [19] The editor of the SIGCSE Bulletin removed the paper from their website and demanded official letters of admission and apology. Schneier noted on his blog that International Islamic University personnel had requested him "to close comments in this blog entry"; Schneier refused to close comments on the blog, but he did delete posts which he deemed "incoherent or hostile". [18]



Schneier warns about misplaced trust in blockchain [20] and the lack of use cases, calling blockchain a solution in search of a problem. [21]

What blockchain does is shift some of the trust in people and institutions to trust in technology. You need to trust the cryptography, the protocols, the software, the computers and the network. And you need to trust them absolutely, because they’re often single points of failure.

I’ve never seen a legitimate use case for blockchain. I’ve never seen any system where blockchain provides security in a way that is impossible to provide in any other way. [22]

He goes on to say that cryptocurrencies are useless and are only used by speculators looking for quick riches.


To Schneier, peer review and expert analysis are important for the security of cryptographic systems. [23] Mathematical cryptography is usually not the weakest link in a security chain; effective security requires that cryptography be combined with other things. [24]

The term Schneier's law was coined by Cory Doctorow in a 2004 speech. [25] The law is phrased as:

Any person can invent a security system so clever that she or he can't think of how to break it.

He attributes this to Bruce Schneier, who wrote in 1998: "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis." [26]

Similar sentiments had been expressed by others before. In The Codebreakers , David Kahn states: "Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break", and in "A Few Words On Secret Writing", in July 1841, Edgar Allan Poe had stated: "Few persons can be made to believe that it is not quite an easy thing to invent a method of secret writing which shall baffle investigation. Yet it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve." [27]

Schneier also coined the term "kid sister cryptography", writing in the Preface to Applied Cryptography [28] that:

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

Digital rights management

Schneier is critical of digital rights management (DRM) and has said that it allows a vendor to increase lock-in. [29] Proper implementation of control-based security for the user via trusted computing is very difficult, and security is not the same thing as control. [29]

Schneier insists that "owning your data is a different way of thinking about data." [30]

Full disclosure

Schneier is a proponent of full disclosure, i.e. making security issues public.

If researchers don't go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem. [31]

Homeland security

Schneier has said that homeland security money should be spent on intelligence, investigation, and emergency response. [32] Defending against the broad threat of terrorism is generally better than focusing on specific potential terrorist plots. [32] According to Schneier, analysis of intelligence data is difficult but is one of the better ways to deal with global terrorism. [33] Human intelligence has advantages over automated and computerized analysis, and increasing the amount of intelligence data that is gathered does not help to improve the analysis process. [33] Agencies that were designed around fighting the Cold War may have a culture that inhibits the sharing of information; the practice of sharing information is more important and less of a security threat in itself when dealing with more decentralized and poorly funded adversaries such as al Qaeda. [34]

Regarding PETN—the explosive that has become terrorists' weapon of choice—Schneier has written that only swabs and dogs can detect it. He also believes that changes to airport security since 11 September 2001 have done more harm than good and he defeated Kip Hawley, former head of the Transportation Security Administration, in an Economist online debate by 87% to 13% regarding the issue. [35] He is widely credited with coining the term "security theater" to describe some such changes.

As a Fellow of Berkman Center for Internet & Society at Harvard University, Schneier is exploring the intersection of security, technology, and people, with an emphasis on power. [36]

Movie plot threat

"Movie-plot threat" is a term Schneier coined that refers to very specific and dramatic terrorist attack scenarios, reminiscent of the behavior of terrorists in movies, rather than what terrorists actually do in the real world. [37] Security measures created to protect against movie plot threats do not provide a higher level of real security, because such preparation only pays off if terrorists choose that one particular avenue of attack, which may not even be feasible. Real-world terrorists would also be likely to notice the highly specific security measures, and simply attack in some other way. The specificity of movie plot threats gives them power in the public imagination, however, so even extremely unrealistic security theater countermeasures may receive strong support from the public and legislators. Among many other examples of movie plot threats, Schneier described banning baby carriers from subways, for fear that they may contain explosives. [38] Starting in April 2006, Schneier has had an annual contest to create the most fantastic movie-plot threat. [39] In 2015, during the 8th and as of 17 February 2022 the last one, he mentioned that the contest may have run its course. [40]

System design

Schneier has criticized security approaches that try to prevent any malicious incursion, instead arguing that designing systems to fail well is more important. [41] The designer of a system should not underestimate the capabilities of an attacker, as technology may make it possible in the future to do things that are not possible at the present. [23] Under Kerckhoffs's Principle, the need for one or more parts of a cryptographic system to remain secret increases the fragility of the system; whether details about a system should be obscured depends upon the availability of persons who can make use of the information for beneficial uses versus the potential for attackers to misuse the information. [42]

Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public. [43]

Cryptographic algorithms

Schneier has been involved in the creation of many cryptographic algorithms.

Hash functions:

Stream ciphers:

Pseudo-random number generators:

Block ciphers:



Schneier is a board member of the Electronic Frontier Foundation. [44]

See also

Related Research Articles

<span class="mw-page-title-main">Cryptanalysis</span> Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

<span class="mw-page-title-main">Data Encryption Standard</span> Early unclassified symmetric-key block cipher

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

<span class="mw-page-title-main">CAST-128</span> Block cipher

In cryptography, CAST-128 is a symmetric-key block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has also been approved for Government of Canada use by the Communications Security Establishment. The algorithm was created in 1996 by Carlisle Adams and Stafford Tavares using the CAST design procedure.

In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research while working for IBM; it is also commonly known as a Feistel network. A large proportion of block ciphers use the scheme, including the US Data Encryption Standard, the Soviet/Russian GOST and the more recent Blowfish and Twofish ciphers. In a Feistel cipher, encryption and decryption are very similar operations, and both consist of iteratively running a function called a "round function" a fixed number of times.

<span class="mw-page-title-main">Books on cryptography</span>

Books on cryptography have been published sporadically and with highly variable quality for a long time. This is despite the tempting, though superficial, paradox that secrecy is of the essence in sending confidential messages — see Kerckhoffs' principle.

40-bit encryption refers to a (now broken) key size of forty bits, or five bytes, for symmetric encryption; this represents a relatively low level of security. A forty bit length corresponds to a total of 240 possible keys. Although this is a large number in human terms (about a trillion), it is possible to break this degree of encryption using a moderate amount of computing power in a brute-force attack, i.e., trying out each possible key in turn.

In cryptography, the Generalized DES Scheme is a variant of the DES symmetric-key block cipher designed with the intention of speeding up the encryption process while improving its security. The scheme was proposed by Ingrid Schaumuller-Bichl in 1981.

<span class="mw-page-title-main">Alice and Bob</span> Characters used in cryptography and science literature

Alice and Bob are fictional characters commonly used as placeholders in discussions about cryptographic systems and protocols, and in other science and engineering literature where there are several participants in a thought experiment. The Alice and Bob characters were invented by Ron Rivest, Adi Shamir, and Leonard Adleman in their 1978 paper "A Method for Obtaining Digital Signatures and Public-key Cryptosystems". Subsequently, they have become common archetypes in many scientific and engineering fields, such as quantum cryptography, game theory and physics. As the use of Alice and Bob became more widespread, additional characters were added, sometimes each with a particular meaning. These characters do not have to refer to people; they refer to generic agents which might be different computers or even different programs running on a single computer.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.

<span class="mw-page-title-main">Nothing-up-my-sleeve number</span> Numbers used by cryptographers to show that they are working in good faith

In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants. Using digits of π millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit.

Fortuna is a cryptographically secure pseudorandom number generator (PRNG) devised by Bruce Schneier and Niels Ferguson and published in 2003. It is named after Fortuna, the Roman goddess of chance. FreeBSD uses Fortuna for /dev/random and /dev/urandom is symbolically linked to it since FreeBSD 11. Apple OSes have switched to Fortuna since 2020 Q1.

<span class="mw-page-title-main">Rainbow Series</span>

The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.

In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key.

In cryptanalysis, attack models or attack types are a classification of cryptographic attacks specifying the kind of access a cryptanalyst has to a system under attack when attempting to "break" an encrypted message generated by the system. The greater the access the cryptanalyst has to the system, the more useful information they can get to utilize for breaking the cypher.

Rambutan is a family of encryption technologies designed by the Communications-Electronics Security Group (CESG), the technical division of the United Kingdom government's secret communications agency, GCHQ.

In cryptography, CDMF is an algorithm developed at IBM in 1992 to reduce the security strength of the 56-bit DES cipher to that of 40-bit encryption, at the time a requirement of U.S. restrictions on export of cryptography. Rather than a separate cipher from DES, CDMF constitutes a key generation algorithm, called key shortening. It is one of the cryptographic algorithms supported by S-HTTP.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

<span class="mw-page-title-main">Twofish</span> Block cipher

In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. Twofish is related to the earlier block cipher Blowfish.

This is a timeline of the public releases or introductions of computer encryption algorithms.


  1. "Bruce Schneier | Facebook". Facebook.
  2. "Bruce Schneier". Harvard Kennedy School . Retrieved December 14, 2021.
  3. Bergman, Kristin (October 9, 2014). "Q+A with Bruce Schneier" . Retrieved December 14, 2021.
  4. "Friday Squid Blogging: Squid Found on Provincetown Sandbar - Schneier on Security". Retrieved November 13, 2020.
  5. "EPIC 2015 Champioins of Freedom}date=June 1". EPIC. Archived from the original on July 10, 2016.
  6. Samuel Newhouse (February 9, 2009). ""Schneier on Security;" A Judge's Son Builds a Reputation of Cryptic Fame". Brooklyn Daily Eagle.
  7. Drew Amorosi (July 11, 2011). "Interview: BT's Bruce Schneier". InfoSecurity.
  8. Mann, Charles C. "Homeland Insecurity". The Atlantic. No. September, 2002. Retrieved December 14, 2021.
  9. "Bruce Schneier, CTO of Resilient Systems, Inc". Archived from the original on February 24, 2015. Retrieved February 24, 2015.
  10. "IBM Security Closes Acquisition of Resilient Systems" (Press release). Armonk, NY, USA: IBM Security. April 6, 2016.
  11. Schneier, Bruce (February 29, 2016). "Resilient Systems News: IBM to Buy Resilient Systems". Schneier on Security.
  12. Schneier, Bruce (June 28, 2019). "I'm Leaving IBM". Schneier on Security.
  13. 1 2 "On starting a career - Special exclusive interview with Bruce Schneier at NoNameCon 2020". NoNameCon live conference. September 7, 2020.
  14. Austin, Richard (March 12, 2015). "review of Data and Goliath: The hidden Battles to capture your data and control your world". Cipher. Retrieved March 18, 2015.
  15. "".
  16. Blood, Rebecca (January 2007). "Bruce Schneier". Bloggers on Blogging. Retrieved April 19, 2007.
  17. Severance, Charles (2016). "Bruce Schneier: the security mindset". Computer. 49 (2): 7–8. doi:10.1109/MC.2016.38.
  18. 1 2 3 "Schneier on Security: Plagiarism and Academia: Personal Experience". Retrieved June 9, 2009.
  19. "ONLINE – International News Network". June 9, 2007. Archived from the original on April 7, 2010. Retrieved June 9, 2009.
  20. SCHNEIER, BRUCE (February 6, 2019). "There's No Good Reason to Trust Blockchain Technology". Wired. ISSN   1059-1028 . Retrieved February 6, 2019.
  21. "Was Bruce Schneier von Blockchain, IoT und Quantencomputern hält". (in German). Retrieved February 6, 2019.
  22. "On blockchain - Special exclusive interview with Bruce Schneier at NoNameCon 2020". NoNameCon live 2020. Retrieved September 7, 2020.
  23. 1 2 Schneier, Bruce (1997). "Why Cryptography Is Harder Than It Looks" . Retrieved April 8, 2011.
  24. Ferguson, Niels; Schneier, Bruce. "Practical Cryptography: Preface" . Retrieved April 8, 2011.
  25. Cory Doctorow (June 17, 2004). "Microsoft Research DRM talk". Archived from the original on December 2, 2006. Retrieved December 31, 2006.
  26. "Crypto-gram: October 15, 1998 - Schneier on Security". Retrieved January 26, 2022.
  27. ""'Schneier's law'"".
  28. Schneier, Bruce (1996). Applied Cryptography. John Wiley & Sons. ISBN   978-1-119-09672-6.
  29. 1 2 Schneier, Bruce (February 7, 2008). "With iPhone, 'Security' Is Code for 'Control'" . Retrieved April 8, 2011.
  30. "On owning your data - Special exclusive interview with Bruce Schneier at NoNameCon 2020". NoNameCon live conference. Retrieved September 7, 2020.
  31. "After Apple Punishes Researcher, A Complex Relationship Is Tested". HuffPost. November 16, 2011. Retrieved January 26, 2022.
  32. 1 2 Schneier, Bruce (September 8, 2005). "Terrorists Don't Do Movie Plots". Wired News .
  33. 1 2 Schneier, Bruce (January 9, 2004). "Homeland Insecurity" . Retrieved April 8, 2011.
  34. Schneier, Bruce (January 15, 2010). "Fixing intelligence failures – SFGate". SFGate . Retrieved April 8, 2011.
  35. "International terrorism: AQAP tries again: Good intelligence work still leaves questions over airport security", The Economist , dated 12 May 2012.
  36. "Berkman Center Announces 2013–2014 Community". Berkman Center for Internet & Society at Harvard University. July 8, 2013. Retrieved July 8, 2013.
  37. Ben Makuch (October 8, 2014). "2014 Will Not Be the Year of the First 'Online Murder'". Motherboard Retrieved June 18, 2015.
  38. Schneier, Bruce. "Schneier on Security: Exploding Baby Carriages in Subways". And if we ban baby carriages from the subways, and the terrorists put their bombs in duffel bags instead, have we really won anything?
  39. Schneier, Bruce. "Schneier on Security: Announcing: Movie-Plot Threat Contest".
  40. Schneier, Bruce. "Eighth Movie-Plot Threat Contest Semifinalists". Schneier on Security. Retrieved February 17, 2022.
  41. Homeland Insecurity Archived September 28, 2011, at the Wayback Machine , Atlantic Monthly , September 2002
  42. Schneier, Bruce (May 15, 2002). "Crypto-Gram: May 15, 2002" . Retrieved April 8, 2011.
  43. Doctorow, Cory. Little Brother. New York: Tor Teen, 2008, page 129.
  44. Jeschke, Rebecca (June 27, 2013). "Renowned Security Expert Bruce Schneier Joins EFF Board of Directors" . Retrieved July 6, 2013.