You'd have to define trust to understand and then answer the question.
Trust is the inverse of what most people think it is.
Trust isn't about what someone will do, it's about what they won't do.
You might trust a guy with your life by asking him to hold a ladder whilst you climb up it, but you probably wouldn't trust the same guy with your medical history and insights into your state of mind and personal relationships.
Yet you would trust a doctor with your medical history, and you would trust a psychiatrist with your mental wellbeing.
The basis of trust is a belief that the person/entity you are trusting won't do something. In the case of that ladder, that the guy won't let go. In the case of the physician and psychiatrist that they won't share information about you.
The NSA stuff can be seen in that light, there is a betrayal of trust as the basis for trust in a government spy agency was that they wouldn't do a certain thing... spy on their own people. The rest is all forgiveable (you pretty much should expect them to spy on everyone else whether you agree with it or not, that's their purpose).
When it comes to Bruce Schneier the question is "Do you trust Bruce Schneier?", but this seems to just beg the next question, "To not do what?".
I trust Bruce Schneier to not sacrifice his own principles and belief system in backdooring some code or otherwise compromising his work.
But I don't necessarily trust Bruce Schneier to hold a ladder that I'm standing on (he may well have a sense of humour that reflects silent cinema, and being up a ladder was never a good thing when a Loki character was holding it).
That would depend on what his work actually is. If it's to promote the understanding and application of cryptography and security, as we believe it to be, then misleading people would certainly compromise what he does. If, on the other hand, Bruce is an NSA shill, then misleading people would in no way compromise his work - it would be his work.
As much as we all might respect Bruce we should remain reasonably open to the idea that he can be wrong (maliciously or otherwise). In essence, we shouldn't let a single expert, now matter how good they appear to be, become a single point of failure in our understanding of a complex subject.
This is quite the long con if you think he's been developing, advocating and promoting free (as in speech) software for years just in case this NSA thing got out of hand.
I agree we shouldn't let a single expert become a single point of failure in our understanding of security, but that's missing the point in this discussion. Based on Schneier's long history of work, including advocating open source solutions, he's earned my trust, but the great thing is that because he's such an advocate for open source, you can check the code. Likewise, if you're reading something he's written, you can check his sources. You don't have to trust him. You can do your own fact checking!
But now you're actually arguing why he _should_ be trusted, rather than just taking it as a matter of faith, which was the whole point of the exercise.
This is a silly bunch of pedantic twaddle along the lines of "never assume, when you assume you make an ass out of u and me". The tacit assumption is that we're trusting (or not) Bruce Schneier as a source of information in his subject domain, and not as a mental health professional or holder of ladders.
Do you breathe? Wait -- breathe what? Is the sky blue? Which sky? Where? Let's define our terms! Was this message written in English or are you misreading fluent Alienese?
I think I get your point, but I feel you should try to bring it in a different way, without reverting to pure semantics play. To illustrate: I might as well say "In the case of that ladder, that the guy will hold on tight. In the case of the physician and psychiatrist that they will keep your information for themselves." And suddenly trust is all about what someone will do.
Think of it this way: if a person won't tell a lie that person is always truthful. But if a person will tell the truth, that person may or may not always be truthful.
You'd have to define trust to understand and then answer the question.
Trust is the inverse of what most people think it is.
Trust isn't about what someone won't do, it's about what they will do.
You might trust a guy with your life by asking him to hold a ladder whilst you climb up it, but you probably wouldn't trust the same guy with your medical history and insights into your state of mind and personal relationships.
Yet you would trust a doctor with your medical history, and you would trust a psychiatrist with your mental wellbeing.
The basis of trust is a belief that the person/entity you are trusting will do something. In the case of that ladder, that the guy will hold it. In the case of the physician and psychiatrist that they will keep your information private.
The NSA stuff can be seen in that light, there is a betrayal of trust as the basis for trust in a government spy agency was that they would do a certain thing... spy only on foreign people. The rest is all forgiveable (you pretty much should expect them to spy on everyone else whether you agree with it or not, that's their purpose).
When it comes to Bruce Schneier the question is "Do you trust Bruce Schneier?", but this seems to just beg the next question, "To do what?".
I trust Bruce Schneier to honor his own principles and belief system by not backdooring some code or otherwise compromising his work.
But I don't necessarily trust Bruce Schneier to hold a ladder that I'm standing on (he may well have a sense of humour that reflects silent cinema, and being up a ladder was never a good thing when a Loki character was holding it).
That's an interesting way to look at trust but it's highly dependent on your own internal thought process and phrasing.
"I trust he WON'T let go of the ladder."
That's the same as
"I trust he WILL keep the ladder secured."
I'd say trust isn't about what you think the person won't do. It's about the person living up to their word or implied contract. It can be phrased either as a will do or a won't do.
Ladder guy holding it implies he will hold it securely. Doctor with private info implies he WON'T share it irresponsibly. That could also be worded as an expectation that he WILL keep it private.
"I trust Bruce Schneier to not sacrifice his own principles and belief system in backdooring some code or otherwise compromising his work."
OR
"I trust Bruce Schneier to be true to his principles and belief systems and maintain the integrity of his work."
Based on your definition of trust (which I tend to agree with) you have to know the other party pretty intimately to know whether you can trust them.
The Bruce Schneier you know wouldn't compromise his own principles and beliefs but what if the Bruce Schneier you know isn't real? What if those principles and beliefs never existed?
Thats a very interesting way of putting it. But why do you trust your doctor or psychiatrist?
I would argue that we "know" Bruce Schneier from his writings and his works better than we know our doctors. The reason we "trust" our doctors is the implied and understood restrictions on sharing confidential medical data and not the character or works of the individuals (since we don't really know them).
With the NSA, that implied restriction (Constitution, laws) has been breached.
After the wall came down, the stasi shredded a lot of their files. But they were reassembled a few years ago and they revealed that some of the dissidents at the time were snitching on their fellows in return for less harsh treatment.[1]
I don't think Schneier is similarly compromised - to give out misleading interpretations of the NSA leaks - but we can't know that with 100% certainty as long as the documents he's commenting on are not public.
It's a little offtopic, but those shredded files were put together with software (they scanned all the scraps and put them back together with algorithms).
Here is a link to the research article (couldn't find a free source, sorry): http://link.springer.com/article/10.1007/s00287-004-0395-8
You don't even need computers to piece together shredded work. Iran pieced together the shredded US Embassy documents by hand, and China pieced together shredded Soviet atomic bomb documents. You just need time and lots of people. Shredded material is often not well-mixed, so there is a great deal of spatial locality.
The thing that distinguishes the Stasi case is that they produced a lot more records, and German workers cost more than Iranian or Chinese workers. That's where the computers came in.
These days, with cross-cut and confetti shredders, the computers would become even more important.
Maxwell brothers spring to mind. Panicking and using a single cut type shredder to shred documents after Captain Bob's demise. I gather assembled piece by piece over months by UK forensic science employees.
I think a fair bit of his non-cryptography security advice of the past 10+ years has been...different than a lot of people I know better and have direct evidence of their competence would give. Increasingly so recently (the past year or two). As a cryptographer, particularly on the symmetric side, he does a good job (at least, the other people who I know who are good at that also think he does a good job; I understand number theoretic cryptology better than I understand the more complex details in designing symmetric stuff). He also went way far over to the "high level policy/politics" side post-BT acquisition vs. actual implementation work, other than crypto competition entries, as far as I can tell.
So, it's not so much "not trust" as "critically evaluate what he says each time".
> I have heard such requests before, and experience leads me to refuse. Either I will do too good a job of prosecuting myself, and convince you that I am guilty - or else you will decide that my prosecution was too half-hearted, and that I am guilty.
If the goal of the hypothetically-compromised Bruce Schneier is to reinstate public trust in weak crypto, he's doing an exceptionally bad job.
To the extent that he maintains crypto is still a plausible defense, there's a huge asterisk next to 'crypto' that boils down to: you really can't know whether you've actually got strong crypto. [1]
For anyone who doesn't have a burning interest in privacy or security, for the regular joe on the street, Schneier's collected reporting reads: they won, it sucks, we need to fight back at the ballot box.
[1] Due all his reporting on the NSA: tapping every wire; injecting vulnerabilities and backdoors, whenever possible, in crypto libraries, crypto programs, services, operating systems and hardware; by hook or by crook, having access to just about every vendor and service providers keys and internal data. And if they want into your computer, specifically, Schneier maintains they're basically in. Hardly a reassuring word among them.
Seriously, this is the only rational response. This is what rational people do: weigh opinions and make their own decision. It's as if we're trusting this guy with our bank account information or something.
> He conflates absence of evidence with evidence of absence.
Absence of evidence is evidence of absence. The false statement of that form is "absence of proof is proof of absence".
If absence of evidence wasn't evidence of absence, then, at best, the presence of the event and the presence of evidence are have no bearing on each other & are independent (in the statistical sense, i.e. the "evidence" is not evidence at all), and at worst, presence of evidence corresponds to the event not happening (i.e. the "evidence" is backwards).
Absence of evidence is [pretty much the weakest possible] evidence of absence. It is most useful for things which are readily apparent. It is not particularly useful for determining questions where the evidence is not readily apparent (such as, obviously, 'Is the NSA spying on Americans?').
One may easily use the absence of evidence of woolly mammoths to conclude that woolly mammoths are extinct. Given their physical size (they are easy to detect) they could not remain hidden from view. We can assume (from our knowledge of other large mammals) that they would leave signs of their presence wherever they trod (footprints, dung, etc.) It is not so easy to use absence of evidence to disprove the existence of neutrinos or tree shrews. Both neutrinos and shrews are hard to detect. There are few people even qualified to attempt to detect them, fewer who are interested, and even fewer who have the resources and opportunity.
A relevant question is "Is it possible for spies to conduct espionage undetected for an extended period of time?" The answer is yes, there is ample evidence of that. Schneier is clearly in a place of trust in his community, making him a high value target. The standards of evidence for betrayal of trust being high (and difficult to define), mean that Schneier could potentially be a spy/collaborator in some capacity, and/or could become one at any time.
This is only the case for binary events (either "it happened" or "it didn't"), which in the real world are quite rare. "Absence of evidence" usually means "The test hasn't been run yet", or "The test results are inconclusive." This is, of course, different from "The test has been run, and I'm choosing to rationalize the results after the fact."
Furthermore, I took it as him saying that he could provide a list of reasons that people should not trust him but he won't because it would be the security pundit version of cock-blocking himself.
No, he is suggesting "innocent until proven guilty", you are suggesting the opposite.
This is a "have you stopped beating your wife" question, what could any person say except "there is no evidence that I am untrustworthy". How do you mathematically verify a person?
The technically correct answer is "mu" or "wu". It's an asian term for absence. In the context of a questions, it means that the question cannot be answered correctly due to a lack of preconditions or because the answers are restricted to a set which does not contain the correct answers.
"Did you stop beating your wife" must be answered wu if you have not been beating your wife. "stopping X" requires the precondition that X was happening at the time of the question.
"Am I trustworthy", as the parent comment pointed out, must be answered wu as well, because it probably is impossible to be universally and unconditionally trustworthy.
Even if it is not, judging if one will be unconditionally trustworthy in all contextes, actions and all possible futures of this situation cannot be estimated with enough confidence, unless your life will end within a very short timespan.
Reading the comments below Schneier's post, I was reminded again just how much the Internet has changed how we interact. Here is an expert creating a space and inviting anyone with an opinion to gather and discuss whether he can be trusted, while he quietly (and amusedly?) observes. I can't imagine anything analogous to this IRL.
His work is out in the open for all to see. I'm sure that he has a very large target on his back for what he has accomplished. There are more than a few government tools and internet fools who would consider their careers made if they could point to any technical compromises in his work. They haven't been able to.
On a "what do I do?" practical level, its not about trusting him.
The point is his suggestions or advice point people in a direction that they or people they trust can verify. If he were spreading false information, by now, he'd be shown to be unreliable. But for many, many years, he has consistently been not proven intentionally false. I word it carefully because he has been wrong, but being wrong is not being false.
Trust is the inverse of what most people think it is.
Trust isn't about what someone will do, it's about what they won't do.
You might trust a guy with your life by asking him to hold a ladder whilst you climb up it, but you probably wouldn't trust the same guy with your medical history and insights into your state of mind and personal relationships.
Yet you would trust a doctor with your medical history, and you would trust a psychiatrist with your mental wellbeing.
The basis of trust is a belief that the person/entity you are trusting won't do something. In the case of that ladder, that the guy won't let go. In the case of the physician and psychiatrist that they won't share information about you.
The NSA stuff can be seen in that light, there is a betrayal of trust as the basis for trust in a government spy agency was that they wouldn't do a certain thing... spy on their own people. The rest is all forgiveable (you pretty much should expect them to spy on everyone else whether you agree with it or not, that's their purpose).
When it comes to Bruce Schneier the question is "Do you trust Bruce Schneier?", but this seems to just beg the next question, "To not do what?".
I trust Bruce Schneier to not sacrifice his own principles and belief system in backdooring some code or otherwise compromising his work.
But I don't necessarily trust Bruce Schneier to hold a ladder that I'm standing on (he may well have a sense of humour that reflects silent cinema, and being up a ladder was never a good thing when a Loki character was holding it).