Video of the Week: Bruce Schneier at Google

This talk is about all the stuff we have been talking about and thinking about at USV lately. It’s awesome.


Comments (Archived):

  1. William Mougayar

    What’s interesting is that Bruce Schneier has been saying this BEFORE the PRISM news,- namely that the Internet gives more power to the already powerful (governments, corporations, terrorist org.) than it does to us individuals.Trust is such a critical thing. We used to say “Trust, but verify”. Now, we can barely verify anything. The bigger the lies, the more difficult it is to untangle them.

    1. Anne Libby

      Recently, I had cause to think about the origins of the phrase “Trust, but verify.” Searching around, found a lot of interesting Cold War stuff out there…

      1. Richard

        Translate anything Russian into English and it sounds very persuasive.

        1. William Mougayar


        2. Dave Pinsen

          Reagan spoke English.

      2. William Mougayar

        Thanks. Good detective work, and I thought it came about during the early Internet days.

    2. scottythebody

      I would argue that Bruce Shneier wasn’t saying: “the Internet gives more power to the already powerful ” He was saying that the Internet WE HAVE CHOSEN gives more power to the already powerful. His point is that the Internet is neutral, actually, and that the way we have fallen in with corporate interests and with whom we have placed our trust has resulted in a power balance as you describe.

      1. William Mougayar

        Yes, I agree. But how we change that is still an issue.

    3. Matt A. Myers

      I really liked how simple he put it, that the internet amplified power. If you had none, now you have some. If you had a lot of power, now you had even more. If you think of it in the terms of health and wellness increasing as the gap of inequality becomes narrowed, then if this is narrowing the gap between the extremes of power, then this in the end should lead to a better state.

    4. JamesHRH

      totally true.The more semi-credible noise that exists, the harder the truth is to hear.

  2. John Saddington

    Love this. Looooove this. I’m working on a mobile app that engages with the points that Bruce brings up directly… at the very least a good Saturday-morning source of validation. πŸ˜›

  3. jason wright

    hardware innovation is the solution. CB Radio for the internet

    1. SubstrateUndertow

      Yup!DNA is locally hardwired and so should we.

  4. Shaun Dakin

    One of the great minds on security, privacy, and technology. Thanks, had not seen. Shared at @PrivacyCamp

  5. Richard

    $ 225 billion. The annual revenue of AT&T and Verizon combined. The “google” has to see these slow lumbering giants as tomorrow’s lunch?

    1. jason wright

      we the people by our individual actions inadvertently collectively allocate too much money to these companies. this applies to GOV too.

      1. Richard

        $15 per GB for Data. WTF?

        1. jason wright

          a punitive tax…on what is becoming an essential of life. uckers.

        2. scottythebody

          What should they charge? What would be a fair profit on the very significant investment in the infrastructure to deliver this service? I’ve always been curious. I used to work in telecom, and even then, I had no idea. I just know that we spent, literally, billions on network. How they priced the products after that was somebody else’s game.

    2. Casey Fahey

      Very much so. Noted that Google just recently bounced AT&T from Starbucks with (essentially) a better “free” product.

      1. Richard

        Yes. The payment model for Mobile Data transmission is so ripe for disruption. ATT / VERIZON lipstick on a pig model of rent to own, 400 phone rebate in exchange for $2400 or $5000 or contractual revenue, is in its last decade.

    3. Michael Elling

      Google just filed with the FCC on net neutrality for its last mile fiber business revealing its paradoxical stance. Yes they are in a position to take on the big service providers (voice, video, data; wired and wireless) with their WAN-side scale, but they need to buy into open or equal access in the lower layers, plus balanced settlements in the middle layers. The latter might disrupt their advertising monopoly. So they might be conflicted at the end of the day.

    4. scottythebody

      This might shape up to be one of the most interesting competitive battles of the century. Pop some popcorn.

  6. Kirsten Lambertsen

    Interesting, and kind of refreshing to hear a talk that isn’t a canned, 20-minute slide deck.I can’t help but find his concern over the increasing comingling of government and corporate interests… quaint. Game is already over in that regard. The gov’t is an arm of our giant corporations. Start there.

    1. kidmercury


    2. SubstrateUndertow

      “government is the shadow cast by business over society.”- ChomskyStill the game is never over!At least not until they stomp out that last bit of human DNA.

      1. Kirsten Lambertsen


    3. Matt A. Myers

      This is why new tech companies who are and becoming giant corporations, and who should have users/consumers interests in mind, need to start playing and winning the game; Carlota Perez says as much..

  7. btrautsc

    Now this is how you nerd out on Saturday morning. Fascinating

  8. kidmercury

    he compares apple to the chinese government. lol. #realtalk right there.his points on how attackers have an advantage over defenders is why the future is niche, as hackers/spammers will have an advantage over big systems, in a way very analogous to how terrorism and fourth generation warfare beats big expensive armies.the whole digital government thing requires a few things:– ultimately, it must lead to a completely separate internet, not dependent on ICANN. this ultimately means a system that controls/governs computer issuance, mesh networks and the path by which these computers are connected (probably involving spectrum violation that uses software to filter out transmissions from unauthorized computers), and a domain system not dependent on ICANN. this is the long vision. — the more immediate vision requires business models that can exist in this environment. i believe a federation of small businesses that agree to the values of internet freedom and share a technical vision that will enable this, as well as philosophical agreements regarding the conditions, if any, that violence and civil disobedience are acceptable, is essential. — i believe a lot of the social networking business models we see, i.e. groupon, marketplaces like etsy/airbnb/etc, applied at the niche/local level will prove to be economically viable, doubly so when coupled with a virtual currency governed by a central bank.

    1. fredwilson

      Yeah I liked that too

    2. awaldstein

      You think groupon and etsy are social nets?

      1. kidmercury

        i think those services will eventually adopt greater social elements (or, perhaps more likely, niche social networks will adopt daily deals and P2P marketplaces as means of monetization).

        1. awaldstein

          I think the later.

    3. scottythebody

      I like some of this. It’s hard to find anyone who cares about internet freedom, though. I’ve been trying to get my friends to encrypt their email for 15 years and I’ve still not received a single encrypted message πŸ˜‰

    4. Matt A. Myers

      “… this ultimately means a system that controls/governs computer issuance, …”Does this really need to be off of ICANN though?

      1. kidmercury

        yes otherwise the domain name can just be seized and any alternative internet movement can thus be easily shutdown.

        1. Matt A. Myers

          So what about operating solely on IP addresses? Can those be seized or blocked somehow?

          1. kidmercury

            the whole path needs to be sent through safe points, which is the tricky part. IP addresses can work, though you may have an insurmountable usability problem there.

  9. howardlindzon

    so smart but horrible dresser…such a disconnect πŸ™‚

    1. LE

      I’ll help you with that thought.Althought the shirt looks new it has a pattern that reminds me it came from the 70’s and belongs in a friend’s mom’s bathroom. Or maybe living room drapes. Personally it’s not what I would expect juxtaposed to a pony tail.

    2. fredwilson

      Well he took off his stylin hat off at the start

    3. SubstrateUndertow

      I blame his wife !sorry about the sexism – just kidding

    4. scottythebody

      I lead an IT security team, and Bruce is one of our “main dudes” that we all look up to and admire — especially a lot of his work in crypto and his thoughts on privacy and security. Needless to say, I’ve spent hunderds of hours reading his work, and I somehow developed this mental image of him and a auditory version of his speech in my brain, and it was totally bad-assed. In my mind, he was almost like some sort of matheriffic Charles Bronson, talking tough about Google’s lackadaisical and dangerous views on privacy, taking Apple to task for its lack of security transparency, calling out bad security thinking by the TSA. He wore belted leather coats with sawed-off crypto cannons under his arm. His kung fu was more powerful than yours.Then I made the mistake of watching a video of him, which completely shattered my mental construction of the man.While I still very much respect and absorb his work (almost daily, really), he is now more of a King Neck Beard. A kindly and clear-talking Geek God with bad Hawaiian shirts.Still gotta love me some Schneier, though πŸ™‚

      1. Matt A. Myers

        Just have someone do a cartoon / character mockup up your visualization and it shall be reborn! Probably could fundraise with it to support some initiative he’d support. Maybe talk to him..

  10. LE

    Suggestion. Would be good if you could identify which video was going to be on Saturday a week or even a few days in advance. If it is longer than, say, 15 minutes. (Sounds like a homework assignment but there is no way to realistically squeeze in 55 minutes in order to comment on something intelligently.)

    1. fredwilson

      that would require me planning ahead, something i don’t do with this blog. it really is written in real time

      1. Matt A. Myers

        I turned it into a Sunday afternoon after Bikram yoga class watch … afternoon Amsterdam time!

      2. kidmercury

        blog stars def need a freestyle component to their game

  11. LE

    I don’t think Bruce targeted this speech correctly to the google crowd. I watched perhaps 10 minutes of it (noting what he was saying as well as how he was delivering it) and thought it might be good for perhaps non technical non nerd types but I think anyone sitting in the audience at google is way beyond this type of thing or information delivered this way. This might go over well with a group of business execs perhaps but not for this crowd. [1]And in fact if you skip forward to the questions at the end and just look at the expressions on the faces of people sitting in the audience (some have their laptops opened, some have their arms crossed, some look like they are sleeping) their reaction is disappointing. The body language tells all. They want to get back to what they are doing. Like a bad date. [2][1] He doesn’t appear to have given any thought to who he was speaking to. Likewise I bought the book when it came out but haven’t read past the intro portion I found it way to long and drawn out for whatever he was trying to communicate. No attention span for that (ironically) these days. It didn’t even make it past the “beach reading” test. Just my thoughts. I’m sure others liked it.[2] I’m not trying to be harsh but to make a point to anyone giving a speech to consider the crowd and what will engage them. My feeling is that Bruce didn’t do that here.Here is an example of Billy Joel giving one of his master classes at UofP. Note how he entertains and engages the crowd. Of course he’s an entertainer but in order to get your point across and not leave people sleeping that’s what you have to be.(I’ve marked at 1:11 into the video it’s worth a watch if you like “Scenes from an Italian Restaurant).

    1. SubstrateUndertow

      Maybe presenting such global overviews to a technical-detailing crowd is a fools errand ?

    2. Joseph K Antony

      …the gender and age imbalance of the audience is striking….does that mean anything?

    3. scottythebody


  12. SubstrateUndertow

    WOW! – a compellingly licid big-picture skinny on framing our hastily imprudent transition into the world of network-driven social-organics. We’re bastardizing those organics by stripping out all the essential distributive-mojo, its soul !Unlike lower-level platform-layers of the reality stack where interminably enforced valiance rules steer the organic self-organizing dynamic, all we get, along with our celebrated cognitive independence, are these rickety radioactive frameworks of collective cognitive-survival-strategy. Talk about herding cats!”Fools rush in where angels fear to tread”I blame postmodernist laissez-faire for emboldening old-school, pre-organic, responsibility-free capitalism.More than ever we need to have robust debates about our over arching social principles/frameworks. Sure those principles/frameworks go stale quickly, can mislead and make fools of us all but modernist frameworks are like a relay race. Yes new runners need to update those torch-light frameworks ever more frequently as technology accelerates, still that is preferable to collective panic-running in the darkness.Distributively Causal GovernanceStill waiting for the DISTRIBUTIVELY-ORGANIC network-revolution !Will there be distributive nodal Apps & Services for that ?DNA runs locally and similarly most of our data and processing objects should too.We are the Borg. We and only we shall decide how to assimilate ourselves!

  13. sigmaalgebra

    Schneier passed out a lot of raw material– history, observations, connections,conjecture, speculation, etc. Carefullyconsidering and evaluating each chunk ofall that content could take a long time.Since there were subtitles, maybe the textis available, and, if so, the text couldease considering and evaluating.It seems to me that the NSA intercepts, asbad as they are for the Fourth Amendmentand more, are a short term problem thatwill get solved soon: Maybe the nextpresident or Congress will roll back the’legal’ authority and do better ‘auditing’what NSA, CIA, etc. are actually doing.Else I have to suspect that enough legalcases will be brought and reach the SCOTUSthat we will get the Constitution defendedand the gross violations of, say, theFourth Amendment stopped.Just why more senators don’t want to joinwith Senator Wyden I don’t know. My guessis CYA: If the NSA is throttled and thereis another Boston bomber, then thesenators who throttled the NSA will getaccused of being “soft on terrorism”. So,the NSA data gathering is “securitytheater” (likely originally a Schneierterm) or: “Of course it has little chanceof stopping another Boston bomber, but, wehave to remember, it’s really expensive,intrusive, etc. and, thus, let’s us claimwe did all we could.”. It’s like ancientblood letting: Of course it didn’t curedisease, but you would not want to ask thepatient to pay a bigger price.But as I posted on this blog yesterday,apparently the NSA has a lot of data onnearly all US citizens, likely includingme, and, in terms of the Fourth Amendment,I never got a warrant. So, the NSAtrashed the Fourth Amendment. Done. Ihope some people/organizations with biglegal budgets bring suits. Then theSCOTUS can look at the Fourth Amendmentside by side with the data the NSAcollected and see, I hope, that theamendment was violated.Our founding fathers gave us citizensplenty of powers to get the NSA, CIA, FBI,etc. back well within the Constitution,and even if we don’t have 60% of thevoters screaming for General Clapper’sretirement, we can have legal cases.But, if we can’t get some reasonableassurances of privacy on the Internet andfrom cloud services, then we can get sometechnical solutions to have a lot in whatI view as the keys, data security,anonymity, and privacy.So, for the technical parts, broadly wecould use the commercial Internet, evenwith taps by all the major worldgovernments, just to move packets.Arrange that all the taps get isessentially just meaningless noise.Better luck next time spooks.How to do this: Sure strong encryption,proxies, and, between an end point and thefirst proxy, encapsulation of the IPpackets in a new protocol. The wholeworld doesn’t have to convert at the sametime. Instead, users especially concernedabout security could convert soon.Yes, we need operating systems that canrun with full safety just any software atall, including ‘malicious’ software with’viruses’, ‘Trojan horses’, etc. Broadly,the work for such operating systems has islikely implemented well in part now andotherwise on the shelf, well polished, andwaiting.Net, I believe that there are good andfairly easy solutions for the immediateterm problems Schneier discussed.

    1. Matt A. Myers

      I’ve only recently started to wrap my head around the needs and problems and the solutions that could help solve security and privacy. I have a vague picture that seems like it could work, though technology wise even if possible, adoption wise it may not ever hit the masses and therefore a chance of return on investment is even lower – since everything being in the cloud and tracked allows companies/platforms to potentially earn more profit per user.

      1. sigmaalgebra

        > I’ve only recently started to wrap myhead around the needs and problems and thesolutions that could help solve securityand privacy.May also want to include anonymity unlessbelieve it is covered by privacy.> I have a vague picture that seems likeit could work,I tried to suggest that the technical keysmight be strong encryption, proxies, and anew protocol between a client and a proxythat would encapsulate the IP packets suchas used now. Also, and related, wantoperating systems that can run any code atall, including malicious, safely. Don’twant spooks installing key loggers orworse.If the technology works, then governmentscould put taps anywhere they want andstill get essentially nothing.So, we have a Web browser B running onclient C communicating over the Internetwith a proxy P that communicates over theInternet with a Web server W.So, a spook sees packets from C to P, lotsof packets. But the data in the packetsis strongly encrypted so that all thespook learns is that client C iscommunicating with proxy P. Due to theencapsulation and encryption, the spookcan’t see that client C wants tocommunicate with Web server W. And proxyP is popular enough that maybe 100,000other clients are also doing much the samething. So, the spook gets lots of packetswhich mean essentially nothing.Then the spook can see that proxy P usesthe Internet to communicate with a lot ofWeb sites, cloud serves, etc. But thespook cannot find the connection betweensome of these communications and anyparticular one of the 100,000 clientsusing that proxy. Indeed, the connectionis carried in the memory of the proxyserver and is encrypted and volatile. Assoon as spooks knock on the door to theproxy facility, the proxy servers losetheir data and power off.So, proxy P communicates on behalf ofclient C with Web server W. In thesecommunications, usually, via C and W, the’message bodies’ are strongly encrypted.So, the spook sees communications betweenproxy P and Web server W but has no ideawhat the associated client C is. When theserver W receives the packets, as HTTPS, Wdecrypts the message body and proceedswith the usual Web client/server GET/POST,etc. If the HTTPS encryption is easy tobreak, then we need a new standard, maybeHTTPS2.For data in the HTTP header that mightidentify client C, browser B at client Cdoes not send such data. So, the HTTPheader lines to Web server W do notcontain, say,HTTP_USER_AGENT: Mozilla/5.0 (Windows NT5.1; rv:12.0) Gecko/20100101 Firefox/12.0> though technology wise even if possible,adoption wise it may not ever hit themasses and therefore a chance of return oninvestment is even lower -As I wrote, “The whole world doesn’t haveto convert at the same time. Instead,users especially concerned about securitycould convert soon.”> since everything being in the cloud andtracked allows companies/platforms topotentially earn more profit per user.Users will have to be more careful aboutwhat data they send to the cloud,companies, platforms, etc. And theorganizations receiving that data willhave to have some strong, publicassurances of data security. And thereshould be some auditing.

        1. Matt A. Myers

          Agree on your last points, though having the financial resources to do so is the trick. Obviously users/companies who require security and privacy should and would be willing to pay for this – it’s a matter of creating a system that is good enough, including useful with a good UX.

          1. sigmaalgebra

            > Agree on your last points, though havingthe financial resources to do so is thetrick. Obviously users/companies whorequire security and privacy should andwould be willing to pay for this – it’s amatter of creating a system that is goodenough, including useful with a good UX.We’re not talking big bucks here.For my technical solution:(1) The Internet need not be changed atall. Instead, we just use the Internetfor a little less functionality, that is,just to carry packets and make some of theaddressing in the packets useless tospooks.(2) The servers, cloud, etc. would need todo at most (A) deploy some HTTPS2 (andthen only if we don’t trust HTTPS) whichwill likely be open source, and (B) givesome audited, data security assurances,and initially only servers wanting toappeal to very highly concerned userswould need to do (A) or (B).(3) For the proxy servers, there are lotof those now. My proposal would justrequire some tweaks in the proxy servers– maybe using just a little hardware boxnext:(4) For my new encapsulation protocolbetween a client and a proxy server thatclient is using, just (A) get an opensource version of Linux good for anembedded system, (B) bring up this versionof Linux on some little computer, say,with a motherboard about 3″ x 3″ andcosting less than $50, and write a littlecomparatively simple software, likely justin C. Might be able to power the thingwith just USB.Then sell this box to concerned end usersand have them place the box between theirLAN and their connection to their ISP.(5) Push for a Web browser that doesn’tsend, say,HTTP_USER_AGENT: Mozilla/5.0 (Windows NT5.1; rv:12.0) Gecko/20100101 Firefox/12.0(6) ISPs be willing to drop the data thatlogically connects a MAC address, IPaddress, or e-mail address to a person.No UI/UX involved.Don’t have to get the whole worldconverted all at the same time or evenever. Could start with just one proxyserver and a few thousand highly concernedusers (endpoints).If the proxy server goes down, then a usercould just remove the box between theirLAN and the connection to their ISP and beback to something a little better thannow.This is all just off the top of my headwith no real thought at all. But somesuch thing should be easy enough to do,and if it worked the Internet could beawash in taps from spooks from governmentswho, then, get essentially nothing.

          2. Matt A. Myers

            Well, if I can tie this into my plans, I will try.

  14. Matt A. Myers

    Brilliant, awesome. This just clarified a lot for me, along with commenters here.

  15. GΓΈran Berntsen

    If you think this is interesting, check out @doctorow at Assembly a few days ago. Always fun to listen to, but scary too..