I had to chuckle when I read the CSO blog posting by Jeff Bardin, Schneier on the Shnive.  Jeff is one of those top CISO/ex-CISO types I try to stay in touch with because of his keen insights.  Jeff’s keen insight yesterday was that Bruce is a tool who doesn’t understand risk management based on his recent commentary and shouldn’t be calling himself a security professional.  It occurred to me that Bruce Schneier is the information security industry’s litmus test.  We are an industry divided against itself, one house that believes Bruce Schneier provides the most valuable insights and one house that thinks he is a waste of time - it’s just like the IDS debate we used have!  It isn’t the junior people in the industry who have these strong feelings, it is our leadership, who either think Schneier has aged like fine wine or expired milk.  I think there is unanimity that Schneier is one of the sages of cryptography, it is when he steps into risk management and many of the other complexities that make up our industry that we see the Crypto-Gram Effect.  (My stance? at the end of the post)  I do enjoy free-wheeling thinking that can lead to breakthroughs, on the other hand I do believe in a meritocracy and expertise in one domain is not necessarily transitive to another.

As I read Bardin’s post, I realized that neither Barack Obama nor John McCain have taken a clear position on the Bruce Schneier issue.  I think that responsible information security professionals in the United States need to sit this election out until we get more clarity on this issue.  Would they: a) appoint Schneier to the Supreme Court, b) shoot him into a permanent fixed orbit, or c) appoint him to the head of TSA?

As with most blogging, I bet the unwritten backstory is more interesting, the blog in my head is always a lot better than what I write because of my duty to protect my friends.  Come on Jeff, let us in on it!  Did you encrypt something in Blowfish and forget the passphrase?  Did Counterpane miss a Chinese hacker on your system?  Food poisoning at a Minneapolis steakhouse?  I am making dinner reservations on Wednesday night at RSA 2009 for myself, Bruce, Jeff and Dr Phil (who I think is really pissed off with Bruce).

Bruce Schneier uses botnets as a tip calculator.

P.S. I think Bruce Schneier is

—–BEGIN PGP MESSAGE—–
Version: PGP Desktop 9.0.6 (Build 6060)

qANQR1DBwU4DwNqRcpCeuzUQCADnck+INDPvMfrg6T4ibF0eG5pCF3SKwNHhPIt7
lw7qvcQNbguUZoatG6+VPtbN2XOul5xy1QP08TZlMOe5+QmHku4NWere8Us/p6aK
ZdE8OR65EKSW6VzGH5OnBJ5ERXjJ70KIMi+vfLRf5BXN7wgjojPhTdIHdn6dWheW
3V9g0jkKcZojHTK2ck8PhjrF6TKWKnKgmHzix7LcffYjGednXkn5IbPfJTIn7U5X
GRMlOfYFVY34fo0Lh+E+rbhVets1lIe0nr1PgQ/6FN1qNFL+nRwy+4GA/TEF9okq
Ey/GK601xGsOjQm0m87OsVJpowG4oh6+uR4dFmj/oDW9bg9PB/9Syt0BnJ47tX6j
S3MXgbld1vOyKcDvw1livleQZPkVNX6BhellqRMco6nQin+Y1UbfSkbL1njQNYz+
LPtCmv9rLD4sre/2sKVo3Yo61Ky3fT/0N4Y3gijVhibjhhnWr4N65CWtrHgDf//P
faGqHZ9fySJ3RS2lXUPC98MqRPy6Fv1y074ZvwRSkDhb8pPB/d5KPRdjWM+qyga1
QrGlpqbgkNsNGcHS1sS+pp+vRGozs6DOG05JSsMnmKsph1bjRbjeG7xsiidXV5KL
QAzjBDqlEpWqWhwpalT5FpdqcUoaws0nlpDi07OlD/Uw5EvgjNCGySBpaWEgLgOp
kLk61a300qUBV5ISxL7QI+lNdT+1Q8vBCNOletV/JE9VVljwwpyva3ec+GJLqdbO
62gZMMZRt+lrMh4ijDOFCK4Xt5Pu/8juiM0MP3IuoBFmwMiKmjP9fhKF4eJ2SzUa
M8MdsXX2e91//g8tkDV3Guq//RQ88D3Zo7aZVobNYR92J6nKfkcW8fseXsrD8i4F
FRvGpZMK2ThycgjjsUdMZVf7vns1b4Qf2SQI2SI=
=Ni0s
—–END PGP MESSAGE—–

Microsoft released a patch and advisory today out of the normal cycle, so you know it is going to be a fun day.  This is a remote execution vulnerability that is very wormable and can enable all varieties of bots and trojans.  The unfortunate catch-22 is that bad guys jump on these special releases and develop attacks quickly.  We are already seeing some activity, so get cracking!

MS 08-067

MS Malware Protection Center

Hmm, I wonder if any of the US election balloting machines are vulnerable…