
Can I Be Trusted? - fejr
http://www.schneier.com/blog/archives/2013/10/can_i_be_truste.html
======
buro9
You'd have to define trust to understand and then answer the question.

Trust is the inverse of what most people think it is.

Trust isn't about what someone will do, it's about what they won't do.

You might trust a guy with your life by asking him to hold a ladder whilst you
climb up it, but you probably wouldn't trust the same guy with your medical
history and insights into your state of mind and personal relationships.

Yet you would trust a doctor with your medical history, and you would trust a
psychiatrist with your mental wellbeing.

The basis of trust is a belief that the person/entity you are trusting _won
't_ do something. In the case of that ladder, that the guy won't let go. In
the case of the physician and psychiatrist that they won't share information
about you.

The NSA stuff can be seen in that light, there is a betrayal of trust as the
basis for trust in a government spy agency was that they wouldn't do a certain
thing... spy on their own people. The rest is all forgiveable (you pretty much
should expect them to spy on everyone else whether you agree with it or not,
that's their purpose).

When it comes to Bruce Schneier the question is "Do you trust Bruce
Schneier?", but this seems to just beg the next question, "To not do what?".

I trust Bruce Schneier to not sacrifice his own principles and belief system
in backdooring some code or otherwise compromising his work.

But I don't necessarily trust Bruce Schneier to hold a ladder that I'm
standing on (he may well have a sense of humour that reflects silent cinema,
and being up a ladder was never a good thing when a Loki character was holding
it).

~~~
tslathrow
Astute. edit: thanks (didn't know what a Loki was)

~~~
buro9
Loki is a Norse God.

[http://en.wikipedia.org/wiki/Loki](http://en.wikipedia.org/wiki/Loki)

He's frequently referred to as the `God of Mischief` in that he's a trickster
and capricious by nature.

------
Amadou
After the wall came down, the stasi shredded a lot of their files. But they
were reassembled a few years ago and they revealed that some of the dissidents
at the time were snitching on their fellows in return for less harsh
treatment.[1]

I don't think Schneier is similarly compromised - to give out misleading
interpretations of the NSA leaks - but we can't know that with 100% certainty
as long as the documents he's commenting on are not public.

[1] [http://articles.latimes.com/2009/nov/01/world/fg-germany-
sta...](http://articles.latimes.com/2009/nov/01/world/fg-germany-stasi1)

~~~
growt
It's a little offtopic, but those shredded files were put together with
software (they scanned all the scraps and put them back together with
algorithms). Here is a link to the research article (couldn't find a free
source, sorry):
[http://link.springer.com/article/10.1007/s00287-004-0395-8](http://link.springer.com/article/10.1007/s00287-004-0395-8)

~~~
AlexDanger
Wow. anyone got an English free link describing this work?

~~~
tanzam75
Sure, see [http://www.npr.org/2012/10/08/162369606/piecing-together-
the...](http://www.npr.org/2012/10/08/162369606/piecing-together-the-worlds-
largest-jigsaw-puzzle)

You don't even need computers to piece together shredded work. Iran pieced
together the shredded US Embassy documents by hand, and China pieced together
shredded Soviet atomic bomb documents. You just need time and lots of people.
Shredded material is often not well-mixed, so there is a great deal of spatial
locality.

The thing that distinguishes the Stasi case is that they produced a lot more
records, and German workers cost more than Iranian or Chinese workers. That's
where the computers came in.

These days, with cross-cut and confetti shredders, the computers would become
even more important.

~~~
keithpeter
Maxwell brothers spring to mind. Panicking and using a single cut type
shredder to shred documents after Captain Bob's demise. I gather assembled
piece by piece over months by UK forensic science employees.

They should have just had a barbecue.

------
rdl
I think a fair bit of his non-cryptography security advice of the past 10+
years has been...different than a lot of people I know better and have direct
evidence of their competence would give. Increasingly so recently (the past
year or two). As a cryptographer, particularly on the symmetric side, he does
a good job (at least, the other people who I know who are good at that also
think he does a good job; I understand number theoretic cryptology better than
I understand the more complex details in designing symmetric stuff). He also
went way far over to the "high level policy/politics" side post-BT acquisition
vs. actual implementation work, other than crypto competition entries, as far
as I can tell.

So, it's not so much "not trust" as "critically evaluate what he says each
time".

------
chattoraj
> I'd help, but that seems unfair.

He missed the perfect opportunity to quote HPMOR.

> I have heard such requests before, and experience leads me to refuse. Either
> I will do too good a job of prosecuting myself, and convince you that I am
> guilty - or else you will decide that my prosecution was too half-hearted,
> and that I am guilty.

------
roc
If the goal of the hypothetically-compromised Bruce Schneier is to reinstate
public trust in weak crypto, he's doing an exceptionally bad job.

To the extent that he maintains crypto is still a plausible defense, there's a
_huge_ asterisk next to 'crypto' that boils down to: you really can't know
whether you've _actually_ got strong crypto. [1]

For anyone who doesn't have a burning interest in privacy or security, for the
regular joe on the street, Schneier's collected reporting reads: they won, it
sucks, we need to fight back at the ballot box.

[1] Due all his reporting on the NSA: tapping every wire; injecting
vulnerabilities and backdoors, whenever possible, in crypto libraries, crypto
programs, services, operating systems and hardware; by hook or by crook,
having access to just about every vendor and service providers keys and
internal data. And if they want into your computer, specifically, Schneier
maintains they're basically in. Hardly a reassuring word among them.

------
jeanjq
No, I do not. I have no reason to distrust him but equally no reason to
unthinkingly trust. I listen to his opinions and take them into account.

~~~
Dirlewanger
Seriously, this is the only rational response. This is what rational people
do: weigh opinions and make their own decision. It's as if we're trusting this
guy with our bank account information or something.

------
mikehotel
Bears repeating: trust but verify. Trust the math but not personalities
because allegiances can change. And as cperciva writes
([http://www.daemonology.net/blog/2013-09-10-I-might-be-a-
spoo...](http://www.daemonology.net/blog/2013-09-10-I-might-be-a-spook.html)),
verify through actual code reviews.

------
phaemon
I trust the _real_ Bruce Schneier, not his NSA clone!

------
mixmax
_So far, I haven 't seen the good reasons why I might be untrustworthy. I'd
help, but that seems unfair._

The better question to ask would be _" Why might I be trustworthy"_ which he
could then try to answer. Not that I don't think Schneier is untrustworthy..

~~~
juskrey
Yes, he just have disclosed the reason not to be trusted. He conflates absence
of evidence with evidence of absence.

~~~
dbaupp
_> He conflates absence of evidence with evidence of absence._

Absence of evidence _is_ evidence of absence. The false statement of that form
is "absence of proof is proof of absence".

If absence of evidence _wasn 't_ evidence of absence, then, at best, the
presence of the event and the presence of evidence are have no bearing on each
other & are independent (in the statistical sense, i.e. the "evidence" is not
evidence at all), and at worst, presence of evidence corresponds to the event
not happening (i.e. the "evidence" is backwards).

~~~
fnordfnordfnord
Absence of evidence is [pretty much the weakest possible] evidence of absence.
It is most useful for things which are readily apparent. It is not
particularly useful for determining questions where the evidence is not
readily apparent (such as, obviously, 'Is the NSA spying on Americans?').

One may easily use the absence of evidence of woolly mammoths to conclude that
woolly mammoths are extinct. Given their physical size (they are easy to
detect) they could not remain hidden from view. We can assume (from our
knowledge of other large mammals) that they would leave signs of their
presence wherever they trod (footprints, dung, etc.) It is not so easy to use
absence of evidence to disprove the existence of neutrinos or tree shrews.
Both neutrinos and shrews are hard to detect. There are few people even
qualified to attempt to detect them, fewer who are interested, and even fewer
who have the resources and opportunity.

A relevant question is "Is it possible for spies to conduct espionage
undetected for an extended period of time?" The answer is yes, there is ample
evidence of that. Schneier is clearly in a place of trust in his community,
making him a high value target. The standards of evidence for betrayal of
trust being high (and difficult to define), mean that Schneier could
potentially be a spy/collaborator in some capacity, and/or could become one at
any time.

------
tiatia
Always funny
[http://www.schneierfacts.com/facts/top](http://www.schneierfacts.com/facts/top)

------
skue
Reading the comments below Schneier's post, I was reminded again just how much
the Internet has changed how we interact. Here is an expert creating a space
and inviting anyone with an opinion to gather and discuss whether he can be
trusted, while he quietly (and amusedly?) observes. I can't imagine anything
analogous to this IRL.

------
forgotAgain
Yes, I do trust him.

His work is out in the open for all to see. I'm sure that he has a very large
target on his back for what he has accomplished. There are more than a few
government tools and internet fools who would consider their careers made if
they could point to any technical compromises in his work. They haven't been
able to.

------
johnjhayes
Trust is not boolean. I have a reasonable amount of trust in Bruce Schneier
based on the information I have available.

------
gadders
I trust Bruce Schneier to believe what he says when it comes to cryptography.

I would also be fairly confident that what he says is correct.

When he strays outside of his area of expertise into politics, I think he is
naïve.

------
kbart
I kinda trust a person whose best advice is _" trust math"_. Of course, to a
certain level as still the best advice is _" trust noone"_..

------
alan_cx
On a "what do I do?" practical level, its not about trusting him.

The point is his suggestions or advice point people in a direction that they
or people they trust can verify. If he were spreading false information, by
now, he'd be shown to be unreliable. But for many, many years, he has
consistently been not proven intentionally false. I word it carefully because
he has been wrong, but being wrong is not being false.

------
lucb1e
Well for one, he uses Windows on his super secure airgapped computer. That
must mean he is in bed with the NSA!

</tinfoil>

The top comment on the site pretty much covers it: trust, but verify.

~~~
spin
Haha. And I use Linux -- and I usually leave SELinux turned on... so my OS is
infested with NSA-written software.

(I do think about this sometimes... I guess I just hope that "with enough
eyes, all bugs are shallow". I hope.)

------
squozzer
It depends on what's at risk. So far he hasn't asked me to meet him in a
cornfield or other out-of-the-way location.

------
DodgyEggplant
Thats a recursion

------
known
Verify and Trust

------
r0muald
No.

