42 of 45 people found the following review helpful
on October 20, 2008
There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy. Witness the mammoth growth of airport security products following 9/11, and the sheer number of vendors at security conferences. With that, government officials and corporate executives often think you can simply buy products and magically get instant security by flipping on the switch. The reality is that security is not something you can buy; it is something you must 'get'.
Perhaps no one in the world gets security like author Bruce Schneier does. Schneier is a person who I am proud to have as a colleague [Schneier and I are both employed by the same parent company, but work in different divisions, in different parts of the country]. Schneier on Security is a collection of the best articles that Bruce has written from June 2002 to June 2008, mainly from his Crypto-Gram Newsletter, his blog, and other newspapers and magazine. The book is divided into 12 sections, covering nearly the entire range of security issues from terrorism, aviation, elections, economics, psychology, the business of security and much more.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
22 of 24 people found the following review helpful
on February 21, 2009
I got this book for free. I would not have paid money for it, since all of Bruce's essays and writings in this book or all over his website & blog. Bruce is very up-front about that. At the same time, though, I can't give Bruce a low rating because the content is very Bruce-- very good. If you want a "book formatted" version of Bruce's writings, here you go, but I would suggest picking up his _Beyond Fear_ book first, then subscribe to either his blog or mailing list (or both). If you want more Computer Security info, look to his _Secrets and Lies_ book first.
19 of 23 people found the following review helpful
on October 6, 2008
Being a fan of Bruce Schneier's other books, I looked forward to his latest work "Schneier On Security", and certainly was not disappointed, although I found that I had read some sections of the book previously.
"Schneier On Security" consist of a compilation of articles published by Mr. Schneier from 2002 through the summer of 2008.
If you regularly read Crypto-Gram and Wired Magazine you will be familiar with some sections of this book. Articles published in other magazines and newspapers, and reprinted in this book, I had not previously read and enjoyed the opportunity to read them now.
As with all of Mr. Schneier's writings, the articles in the book are thought provoking yet at the same time easy to read.
The book is divided into 12 chapters, followed by a large list of web-sites providing additional information and references.
The chapters are:
1 - Terrorism and Security
2 - National Security Policy
3 - Airline Travel
4 - Privacy and Surveillance
5 - ID Cards and Security
6 - Election Security
7 - Security and Disasters
8 - Economics of Security
9 - Psychology of Security
10 - Business of Security
11 - Cybercrime and Cyberwar
12 - Computer and Information Security
Each chapter consists of a few previously published articles related to the chapter topic.
Well written, thought provoking, and an opportunity to get several of Mr. Schneier's articles collected into a single volume.
7 of 8 people found the following review helpful
on April 14, 2009
Schneier's security mantras are:
Security is a trade off.
Security is about people, not technology.
Security is about failure, not success.
Security is obtained by skilled intelligence gathering.
Because Schneier presents a collection of previously published articles and blog posts he repeats himself a lot, but that's OK as it reinforces the mantras all the more strongly.
When he writes of airport security, for instance. If our name is on a no-fly list, the clerk at the check in desk will not be permit us to board our flight. Why should he? If he does and we are terrorists, he's fired and maybe prosecuted. If he doesn't allow us aboard despite the fact we are upstanding citizens, he is praised for doing his job. Are we more secure? No. A genuine terrorist will probably avoid using a name on a no-fly list. And who manages this list? Can we check if our name is on it? No, we can't. If we do find out we are on the list, e.g. by being refused boarding for no adequate reason, can we get our name off it? No, there's no appeal process. The no-fly list is a bad system, it effectively sentences people without due process.
Compare this with the 1999 attempt to sneak explosives into the US from Canada. The culprit wasn't arrested because his name or license plate number were on a watch list but because a trained border crossing agent, Diana Dean, recognized suspicious behaviour and decided to investigate further. What led to her decision cannot be quantified or turned into a procedure, her instincts were honed by years of experience.
The applicable mantra in both cases is "Security is obtained by skilled intelligence gathering". Read the book for illustrations of the other mantras.
Schneier looks at other areas, including the security surrounding election systems the protection of privacy, cyberwarfare and others.
Overall an excellent account of what security is all about illustrated with detailed examples.
Vincent Poirier, Tokyo
7 of 9 people found the following review helpful
on August 12, 2009
The content of this book is good: interesting perspectives on everyday security problems and why the existing solutions won't work.
However there were two things that frustrated me about this book:
Firstly, Schneier makes a few suggestions on how things should be done, but sometimes without elaborating his reasoning. Other times he'll explain why existing measures don't work but without offering anything better of his own.
Secondly, while I appreciate that this is a collection of blog postings and past articles, some were already out of date when the book was published and many of them overlap with almost identical ideas and even copy, and this means there is quite a bit of repetition between chapters. I feel like these articles could've been merged and refactored into a more suitable list of edited chapters before being published as a book.
That said, it's still a worthwhile read.
2 of 2 people found the following review helpful
on July 23, 2011
A book that covers the spaces where technology and security intersect shouldn't be this interesting or easy to read.
In the field of computer security, Bruce Schneier's reputation precedes him. That would lead you to believe that his writing is dry, technically challenging, and inaccessible. This book is none of those things. It's an extremely lucid discussion of security as it relates to terrorism, the airlines, elections, and cyberwar. You don't have to be a computer whiz, or even use computers at all, to enjoy this book.
The specific examples might be dated, but Schneier isn't trying to sway you on specific past events. He's trying to change the way you think about security or about security-related matters when they're reported in the news. He does a very good job.
This book is actually a collection of articles on the author's blog and in magazines, so the material could conceivably be tracked down and read for free in other places. But this book makes a great souvenir edition to have.
Chapter 4's collection of thoughts on Privacy and Security, a very timely issue that we'll certainly continue to hear more about in the next decade, is worth the cover price of the book by itself.
1 of 1 people found the following review helpful
on April 23, 2013
I had already read Liars and Outliers and learned to appreciate Bruce Schneier's writings. This book, or bundle of essays, has inspired lots of thought as to our security as a country and an online community. I find myself wondering what he would add to some of the essays after the bombings in Boston. I can tell that he gets to say, "I told you so!" very often.
Another great thing about his books is the references. Thanks to an essay within this book, I have ordered Nothing to Hide: The False Tradeoff between Privacy and Security by Daniel Solove and I am sure I will find a few more books or authors that grab my attention.
Whether you are looking for security writings to use for references in a college project or enjoy learning from those who have had first hand dealings with boards in Washington DC, this book will have what you are looking for.
2 of 2 people found the following review helpful
on January 30, 2012
this is a great security book.
In chapter after chapter, Bruce Schneier says the security truth.
One of the better books out there.
on October 30, 2013
I'm not very political. In fact I'm jaded toward the whole process. Truth be told I think it's mostly a ridiculous, pathetic circus...but unfortunately its a ridiculous pathetic circus that increasingly affects every single one of us, especially when it comes to security and privacy. And this book highlights how the issues of security and technology very much affect us as individual American citizens. No matter what side of the political spectrum you come from, make no mistake, the issues of security, privacy, and technology have extreme implications that you should thoroughly consider. Further, this is one area where those of various political stripes (even opposing on many issues) can hopefully find some common ground.
The limited space of a review isn't the proper platform to explain how and why the combination of bureaucracy and technology create a machine capable of incredible power and scope, and how that exponentially increases the danger of misuse. Some people (even intelligent very well intentioned people) simply do not see the intimate connection between security, privacy, and liberty; they honestly do not perceive any danger in a centralized authority capable of literally pinpointing and tracking you at any moment (along with everybody you know and everybody they know)...a centralized authority capable of accessing your entire life (bank accounts, utility services, medical records, credit access and history, detailed purchasing history and shopping habits, travel routines, phone conversations and records, email correspondence, internet activity, literally everything that allows you to function in modern society) at the mere touch of a few buttons. The idea that many people seem oblivious, or worse apathetic, to such an incredible danger borders on insanity. This is not paranoia; it is not delusional or extreme...it is pure common sense. Anything with that much power poses an enormous threat, period. Even now, the power balance disfavoring the individual has become so disproportionate it would seem almost laughable if it weren't so spine-chilling. History has much to say about human nature in the context of power, and it behooves the wise to use extreme caution and view with a high degree of cynicism those in control of such disproportionate power.
As Acton said: "All power tends to corrupt; absolute power corrupts absolutely." One could slightly alter that truth by inference...power tends to corrupt proportionally. Thus, the more power, the more corruption. Human history would challenge anybody to prove otherwise.
I pretty much devoured this book, which is a collection of short essays from various publications (websites, blogs, newspapers, etc.) on a whole range of security and technology issues. The book is very well written, easily accessible, and the format allows it to cover an impressive range of related issues that highlight the complexity of the subject. Schneier has a clear, reasonable, and concise style that complements the subject and allows you to very quickly "get your feet under you" in trying to wrap your mind around the issues involved. His expertise is obvious (and verifiable), which, combined with the logic he uses lends a credibility to the book that reasonable people will find very refreshing and reassuring. Schneier does a wonderful job of explaining how security and privacy are not mutually exclusive, and, perhaps even more relevantly, how our current approach does not protect us from outside threats (e.g. terrorism, identity theft, etc.), and instead only makes us feel better while stripping us of vital protections of a very different but equally important kind (privacy and liberty).
One of the primary reasons this book deserves the read concerns Schneier's putting forth some very fundamental principles and vital concepts that everybody -- and I do mean everybody -- should take special note of. For example:
"Privacy is an inherent human right and basic human need, and a requirement for maintaining the human condition with dignity and respect." Privacy and anonymity are "intrinsic to the concept of liberty" and "protect us from threats by government, corporations, and individuals."
In the context of modern society, "what happens to our data happens to ourselves...control of our data means control our life...our data is part of us...it's intimate and personal, and we have basic rights to it...it should be protected from unwanted touch." In other words, your access to basic goods and services and all the things necessary to exist and function in modern society depends on your "data double". Since in a free society you have a right to live and breathe and pursue your happiness as you see fit, and your data is essential to both those ideas, you by extension have a right to the control of that data.
"...surveillance information will be abused...privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance."
"Think its okay to give up your privacy if you're doing nothing wrong? What happens when 'wrong' gets redefined?" "Redefined", that is, subject to limitless scrutiny, audit, and judgment at any time for any reason by any criteria those in control see fit, all subject to change on a whim. What happens when those who get to define right and wrong and have the power of the sword (and the pen of mass media and propaganda) to enforce their view decide they want to change the rules in the middle of the game? Indeed, what if they created the game and can utterly control it (both prospectively and retrospectively) when and as they see fit to their own benefit at the expense of others?
In one sense, "Security is a trade-off. It makes no sense to ask whether a particular security system is effective or not...The proper question to ask is whether the trade-off is worth it." But in the larger sense, "there is no security without privacy" because privacy is prerequisite for security, and "liberty requires both." Therefore, "the debate isn't security versus privacy." That's a completely false dichotomy and pure political rhetoric. America's security doesn't come from the NSA or Walmart, it "comes from our freedoms and our liberty." Indeed, the debate isn't security or privacy, "it's liberty versus control".
For the record, I certainly don't agree with all Schneier's conclusions, but at the very least, this book will give you a ton of food or thought, and point you in the direction of becoming more informed and reasonable. It will give you tools to more critically evaluate the rhetoric we're constantly exposed to. It'll also probably scare you a little. And rightly so. Right this very moment, "we're building a computer infrastructure that makes it easy for government, corporation, criminal organizations, and even teenage hackers to record everything we do." Every day it grows more powerful, for good or ill. If we fail to approach this infrastructure wisely and cautiously, we will all suffer greatly.
1 of 1 people found the following review helpful
on October 16, 2010
Bruce Scheier is the Chuck Norris of security. His philosophical thinking to every day security will entertain you and help shed light on some of the security theater we face everyday.