USENIX '04: Bruce Schneier Q&A session

* security theatre & threat assessment need to bee kept in mind
most threats are exaggerated; most attackers aren't that competent

* education is a big issue
schneier's mom will never, ever get internet security. (when she calls for tech support, the first thing they have her do is turn off her firewall, but they never actually remember to turn it back on when they're done with the call.)

* it's important to ask what a countermeasure is supposed to accomplish
why shut down the roads? does it keep truck bombs away? no, it just causes them to get poorer gas mileage on the way to their target. so what?

* it's important to manage risks & choose countermeasures that are actually efficient
banning taking photos in NYC is silly; getting people to report abandoned packages makes some sense

* how can we push for smarter policies? who can we talk to?
schneier tries to push for rational, nonpartisan debate. "we're fighting a holding action." we're probably stuck with dumb security for at least the next decade, but somehow not expecting to be able to win the debate makes him more assured.

* stupidsecurity.com admin: when rational debate fails, does browbeating & insulting dumb security make sense? he obviously thinks so, and schneier said it was a good website

* passive resistance is worth considering; get your peers to be aware & speak up with you

* some targets are worth heightened security efforts
the questioner seems to give conventions as a positive example; schneier cites airlines as another