21 of 21 people found the following review helpful
I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.
Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.
These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.
29 of 32 people found the following review helpful
on August 4, 2003
Bruce's greatest strength is in the role of Evangelist -- he translates the complex aspects of security into a vocabulary suitable for common consumption. If you're a sociologist, a risk management officer, or a cultural psychologist, you'll be familiar with a lot of the upstream references from which Bruce draws his examples. Conversely, if you're working in an office where "solving that security problem" is one of your many tasks, you won't have the time or inclination to dig out the esoteric sources. Consider this book as an alternative, far less onerous choice.
The book is easy reading -- it flows quickly and keeps returning to a common set of themes. These are set against many contexts so you're sure to find something familiar. You won't find any math or greek notation in here, to the disappointment of "Applied Cryptography" die-hards but the relief of everyone else.
The underlying message, seeing beyond the Fear, Uncertainty, and Doubt (FUD) propagated by mass media and the government, is a key one to understanding why it's OK to question this hyper-security-conscious world we find ourselves in. Airline security is an arena familiar to most business travelers, and we as passengers are expected not only to accept increasingly invasive measures, but welcome them without hesitation. Bruce teaches us how to evaluate the efficacy of these schemes both individually and in the aggregate. The results will surprise all but the most cynical among you.
That said, this is not the textbook of a conspiracy theorist. Bruce willingly admits that improving security correctly is a worthwhile pursuit, and even teaches us how to do it. You won't find the rantings of an ill-informed libertarian crackpot.
If your interests lead you to ask questions and be curious about the changes to your world in recent years, you will find this an entertaining and informative volume. Democrat or Republican, luddite or technology businessperson, it's worth a look at your earliest opportunity.
12 of 12 people found the following review helpful
on January 21, 2004
Not quite what I'd expected. I'd read & enjoyed 'Secrets & Lies', and I thought this would be more of the same. This book is really a discussion about what actions have been taken post 9/11, and in parts it's a criticism of the overreaction that there has been.
However, its not overtly political, and gives dozens (perhaps a 100) practical worked examples of good & bad, effective & ineffective, responses to security issues, whether it be physical, electronic etc.
There is a 5-step process which I found useful to apply to everyday situations; and (in highly abbreviated form) these are : what are you trying to protect; what are the risks; risk mitigation; risks caused by the solution; trade-offs
The core message is : "as both individuals and a society, we can make choices about our security", and this book helps you understand how to make those informed decisions.
13 of 14 people found the following review helpful
on February 10, 2005
The title of the book refers to the steps to take after fear is sensed. To move beyond fear is to understand it, how it affects you and why, and what you can do about it. And that is what the book addresses - what things do we need to secure, from our personal interests, to national interests.
Schneier addresses this in the framework of a five questions to ask about security. Although the process seems crude, it does touch the heart of security issue - what are we trying to protect, why, and what happens if we don't protect it?
I particularly like his idea of brittle versus flexible security. When a brittle security system fails, you asset is screwed. A (poor) example would be burying your money in your back yard. If this is compromised (someone finds it), then you loose all your money, and that's the end of it. Compare this to a baking account. If someone robs the bank, or fraudulently takes your money, the bank is obliged to get you your money back. (So maybe you should bury your bank account number and password in yuor back yard!)
Although much of the discussion is on the level of national security, he also has gems of wisdom like suggesting that you leave the bathroom light on while you're away to deter burglars. And he points out yuor identity is more likely to be stolen from your discarded papers than from someone stealing your info on the internet.
I really appreciate the last part of the book where he lists the most-likely causes of death among Americans. What I got from that was not that I should avoid international airports, or dig a fallout shelter, but simply that I should make sure that I and my family are securely buckled up when we drive. Now that's putting 9/11 into perspective.
23 of 27 people found the following review helpful
on October 18, 2005
This book is very informative, interesting, and entertaining. I've recommended it to people both within and outside the CS and IT communities w/o reservation.
Rather than reiterating things said in the many positive reviews, I'd like to take issue with one reviewer who says Schneier misuses the term "threat." In particular, this reviewer says "A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset." This definition is both counter to standard English usage and counter to standard usage within the computer security field. Every book on my shelf has roughly the same definition of threat: "Threat: a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability" -- Stallings, Network Security Essentials, p. 5. So a threat is condition or event, not a party. The reviewer seems to confuse threat with potential adversary.
Schneier's terminology is the standard terminology, and he uses it correctly.
9 of 9 people found the following review helpful
on October 16, 2003
Executive summary: Timely and well written. Buy it.
Bruce has a great ability to "keep it real" - which is why his books are so readable and down to earth. With a background in cryptography, Bruce has broadened his scope to become one of the broadest-thinkers in security today - no mean feat by any measure.
One of the reasons I tell my corporate consulting clients to "Read Bruce's books" is because he's able to put things into the overall context in a way that is uplifting rather than depressing or overwhelming. For example, I consider "Secrets and Lies" (and now "Beyond Fear") to be essential bookshelf material for anyone who has to deal with security. When people are starting in security and ask me where to begin, it's with these books. Absorbing them, and the concepts behind them, is a good way of avoiding the pitfalls in this complex field.
For the non-security-professional, this book is also a terrific read. Read it more like it's a spy novel, sit back, and enjoy it. Movie script-writers? If you're going to write a script that touches on computer security: read this book.
8 of 8 people found the following review helpful
on January 5, 2004
I have read a number of the Pro and Con reviews. I think it is important to take a good look at the title of the book, and use that as a guide to a buying decision. This book is not an in-depth cookbook of technical approaches to combat hackers, but rather a sensible way of looking at the issues that contribute to an aura of security, the appearance of security, and actually being secure. I really liked the whole premise, because we are such an image conscience, and sound-bite oriented society that it can become quite difficult to deliver a thought-provoking treatise on a topic that many think they know so much about.
My only negative comment would be that it got a little slow at the end, for me. Maybe I was just tired that night or something.
He cites a few excellent examples of places or instances where someone did something that they honestly felt would contribute to increased security, when the actual effect turned out to be the opposite. If I may draw a crude comparison: if you appreciated some of the observations, and perhaps even the writing style and presentation in Hammer and Champy's "Reengineering the Corporation", then you will like and appreciate this volume. The way Mr. Schneier presents information, and the way he introduces you to perceived vs. actual may strike you as being similar. (No offense meant to either author - I enjoyed both)
7 of 7 people found the following review helpful
on October 31, 2003
"Anyone who tries to entice you with promises of absolute security or safety is pandering to your fears" (pg 277).
This whole book is filled with common-sense and not-so-common-sense thinking. I had the opportunity to see Schneier speak at Toorcon 2003 in San Diego and I can tell you this guy not only knows as much as anyone about security, he also talks *like a normal person*. He's not arrogant, he doesn't throw in gratuitous latin terms, he just makes a very clear point with extremely strong logic to back it up.
That's what this book is: a handbook on how to logically sift through all the garbage that's trickling down to us via the US media and our govt. Does the FBI need expanded snooping powers? Not according to Schneier, who backs that up with facts regarding 9-11 that tell us the right govt agencies *had* the info, they just couldn't analyze it all. So giving up a bunch of our privacy for the FBI to get more info doesn't make much sense in combating terrorism.
This is just one example in dozens. You may not even agree (I've met a few FBI people and they ALWAYS say they need more power/info), but reading this book allows you to pull the emotion out of security-based decisions, whether they are about home alarm systems or airport security lines.
For people who aren't familiar with Schneier, he is basically a semi-legend in the information security field for his cryptography, writing and speaking. His last book, "Secrets & Lies", broadened the scope of his writing from crypto to general infosec. Now he has broadened his focus even further to include the physical world (beyond the server room). To be honest he doesn't really even bring up computers directly that often, and when he does he usually tells us that they aren't nearly as good at making security decisions as people. Seasoned infosec people won't be surprised by any of the logic or conclusions in this book, but it's still worth a read because Schneier has obviously spent a lot of his brain's cycles thinking about security in general and we can all benefit from his conclusions.
Schneier has won my respect with this book. It proves that not only does he get the security details (the crypto), he gets the "big picture", even when the big picture has nothing to do with computing (eg muggings). It is rare to find this in one company, let alone one person.
10 of 11 people found the following review helpful
on August 12, 2003
Bruce Schneier's latest book is a departure from his previous work, leaving the technical realm largely behind as it looks at the concept of security in the whole. He brings a clear and witty expertise to the subject, balancing the real concerns with concepts that enable us to evaluate and act on our individual security situation.
Security is a timely but complex issue, and Bruce has always been great at taking complex issues and breaking them down for the reader so that all the concepts seem clear and understandable, while at the same time building concept on concept until you have a clear and deep understanding of a various difficult situation. He provides a five step process that allows you to evaluate your risk and security solutions, identifying those which are ineffective and increasing security in each individual's life.
Bruce uses a variety of interesting examples, which all by themselves are worth the read. He writes witty, engaging prose throughout. The book is, simply, a great read.
This is an important book. It covers one of the most critical concerns of our time in a clear and accessible way, while at the same time discussing and clarifying the complexity and nuances of the subject. It provides the reader with a really good read, and with tools to use to make them truly more secure and to understand and evaluate what our governments are doing on our behalf in the security arena.
7 of 7 people found the following review helpful
on August 1, 2003
Beyond Fear is a must read for anyone who wants to figure out what's really going on when security issues hit the news. Reading Schneier's clear explanation about how security decisions usually get made helped me understand why so few of the ones we hear about seem to make any sense! In addition to his insightful analysis and handy five-step rule for making security decisions, the book is filled with fascinating anecdotes and stories that make for an entertaining and interesting read. Every member of our government needs to read this book - and you should too.