Disclaimer: To be clear, up front, I am not a security expert. My area of expertise is in editorial systems and content management.
First, I want to commend the Guardian for adding technical expertise to their team that's trying to make sense of the NSA disclosures. I've been saying this for a long time, you can't separate politics and technology, yet reporters have been trying to do that, even smart diligent reporters like Glenn Greenwald.
They brought on Bruce Schneier who is widely regarded as a security expert. He is someone I'm willing to listen to, and even follow, but I wonder if he's ready to lead.
There's a big job in front of us in the technology world, to try to put back together a semblance of security. Or else we don't have a banking industry, as one example. Want to make an airline reservation on a wide-open system where anyone can read any record at any time? I don't want to fly on that kind of airline, yet we are, and have been.
It's so wrong that the government has done this to us in the name of security!
Anyway, I have only met Schneier once, in public at an O'Reilly conference in 2002. He said something very wrong about a protocol I was a co-designer of. Making mistakes is okay, but you have to be willing to listen when an authority on the subject says you made a mistake. Schneier wasn't willing to listen. He had a couple of snappy dismissive responses. This isn't how you lead.
That was eleven years ago. Let's hope if Schneier is going to lead us now, that he's got a more sensible view of who can and can't be trusted. I think we're on the same side, he and I, for simpler protocols, easier to understand, and trustworthy computer networks. And, I hope, empowered people.
Back then, and now, I am a content management guy, not a security guy. I was searching for any network protocol that would let us connect users' machines with the servers that stored and rendered the content. The work we were doing then led to some pretty important things, in retrospect.
The first I heard that Schneier had a problem with our work was sitting in the audience at a major conference, where he offered a conclusion about our ethics, not a question, or even better a suggestion. It's true, we did want our messages to go through firewalls, because our users were not generally people who knew how to configure them, or who were trusted to do so in their organizations. Further, we wanted developers to be able to use scripting languages to build implementations of the protocol, and most of them at the time had HTTP support built-in. Finally, our application was publishing, the data flowing over our wires were blog posts and feed items. Imho this is exactly the kind of stuff HTTP was meant to carry, and didn't in any way represent a security issue.
Later, people wanted to use these protocols for banking systems. I guess Schneier's issue was with them, not me. But it didn't come out that way, and the people who came to hear him speak that day, and presumably on other days when I wasn't in the audience, got the wrong impression, and imho bad advice. My guess is that Schneier doesn't think in terms of content management, which is fine. But have the perspective to understand that there are uses of networks other than those you understand. There is specialization in networking, that should not come as a surprise.
We can't fight among ourselves this way anymore. We never should have in the first place. Let's work together, patiently and generously. That's why I'm writing this piece today.