I’ve been reading Bruce Schneier’s blog for a year or so now. For Christmas, I bought myself his book on general security, Beyond Fear. He has a a few other books out, including one on cryptography (Applied Cryptography) which the the field in which he started, and digital security (Secrets and Lies) which is the field in which he works. But he’s built up a fair amount of expertise in security in general, which is what his blog is mostly about. After the World Trade Center attacks of 11 September 2001, Schneier has been increasingly critical of the cost-effectiveness of the various security measures that the government has taken, and even more critical of the loss of security inherent in the loss of freedom that many of the measures threaten.
Most the the subject material in this book is covered in his blog, as well as in the various op-ed pieces and columns he’s written for newspapers and magazines. But here the material is collected in one place. It’s not simply a collection of pieces written elsewhere. It’s a step-by-step exposition of the general principles of security designed to get everyone who reads it more familiar with those concepts and hopefully get them less fearful. The idea being that if people are more mindful of actual security and less worried about the perception of security that we’ll all be better off.
I should preface the rest of this review by noting that I have little independent knowledge of security and so I cannot vouch for Schneier’s correctness. I have some experience designing and implementing security measures for Expedia, and that experience confirms a few of the things about which Schneier writes. I can also say that much of his writing makes internal sense. In other words, the various pieces complement each other rather than contradict. And he walks readers through the logic and math of some items, so that there is some basis to believe what he writes about those items. But that, and the whole book, is based on a lot of assumptions that I have little inclination to spend the time to independently verify. My gut tells me he’s right because there hasn’t been much in the way of other security experts telling us he’s full of shit. He’s got the cred.
There are three parts to his book, consisting each of a number of chapters. The first part, Sensible Security
introduces the reader to five questions Schneier uses to evaluate various security measures: what are you trying to protect? what are the risks? how well does the solution mitigate those risks? what risks does the solution itself cause? what trade-offs and costs are imposed by the solution? In the end, the last question is one of the most important and most subjective. What’s worth it to one person might not be worth it to another, especially if one of them doesn’t have to pay the cost directly. Part two of the book focuses on the third question. It breaks security down and explains some of the concepts that can be used to tell how well a solution works. In addition to this five question test, part one also talks about the various people involved in security and their agendas. Not a lot of specifics, though he does use some examples to illustrate. The book isn’t about specifics; it’s about how it works generally. The agenda of pilots is not the same as the agenda for flight attendants which is not the same as passengers which is not the same as the airlines. Some folks would have better security that merely shifts the risks to someone else, rather than increases the security of everyone.
The second part, How Security Works
, deconstructs security, though not in a textbook fashion. There’s considerable overlap between many of the chapters. He has chapters on where the vulnerable parts of systems are generally (where systems connect with other systems), brittleness (it’s bad, make your security fail gracefully rather than spectacularly), detection rather than prevention, response and mitigation, social engineering, and identity and authorization. Throughout it all, Schneier uses copious examples. Many examples come from post-9/11 security measures. Many others come from the animal kingdom. Those were the ones I found most interesting, though they are probably less directly useful because evolution means that attackers change their tactics much less frequently than human attackers do.
The last part, The Game Of Security
, seems to me mostly to be an exhortation to not be afraid and to become more involved in security decisions. However, the section lacked the punch that the first two sections had. Schneier gives only cursory ideas to people how how to play the game, and even less on how to win. That makes sense though. Schneier’s expertise is more on the technical end of security than it is on the political. In the general security arena, he’s more of an adviser than a player. That doesn’t mean he has nothing to add; I think a lot of lessons he’s learned in playing politics to get security implemented in digital systems (what his company Counterpane does) are applicable generally. But I don’t get the feeling that he’s extrapolating those lessons here.
I loved getting a better feel for the various topics he writes about in section two. It’s much more systematic than reading his blog, which is basically reactive to news and events. I don’t feel like it gave me enough information though. I still can’t evaluate a security measure more than generally. For instance, does the standardization of something add more security than it takes away through providing a point of failure that can be attacked repeatedly? No idea. In other words, I know the concepts now, but I have no way to measure them, even to a level of magnitude standard. (Schneier makes the point that much of this stuff can’t be measured with accuracy.) This makes playing the game that he talks about in later sections that much harder. Without measurements, it’ll be pretty hard to counteract emotional responses and agendas.
Still, my perspective is one that was fairly informed prior to reading the book and that makes me a more critical because I can get less out of it. I highly recommend the book for the reason that a lot of people are starting off from a basis of little knowledge about security. For such readers, it’ll be eye-opening and informative. Schneier is a good writer. He knows how to explain security to the non-security conscious. He doesn’t get bogged down in technical jargon. He uses easy to understand examples with which people will be familiar. He explains things in digestible pieces.
Author: Bruce Schneier
Title: Beyond fear: thinking sensibly about security in an uncertain world
Imprint/Publisher: Copernicus Books / Springer Verlag
Publication date: 2003
Format: Hardcover
Length: 295 p., includes index
ISBN-10: 0-387-02620-7
Subject: Terrorism — United States — Prevention
Subject: War on terrorism, 2001-
LC Classification: HV6432.S36 2003
