Slashdot Mirror
Beyond Fear
He then goes on to apply this method to a series of security issues while covering the various types of security and their weaknesses. For the most part this not a technical evaluation of the tools used, but rather an analysis for each example of what the security goals are and how the tools and technology achieve or fail to achieve those goals. Even more importantly, he deals with the tradeoffs inherent in any security system.
Schneier applies this method not only to the global issues that have come up since 9/11, from airline security to protecting government secrets, but also to personal issues, including tradeoffs in personal home security. By doing so, he takes principles which might be hard for some to understand in the abstract and makes it clear how they apply in situations almost everyone has thought about.
By drawing parallels, for instance, between how you might select a home alarm system to how you might evaluate the use of face recognition at the airport, Schneier shows that you don't have to be a security "expert" to think logically about security. He brings to the forefront the tradeoffs that you made in these personal choices; for example, the downside of dealing with deactivating an alarm system every time you come home. Then, in turn, he shows how you must consider the problem of people being falsely identified by the face recognition system at the airport.
Given this strong framework, he then uses his method to analytically and dispassionately tear apart most of the silly and stupid security methods (note my dispassion here) that have been put in place or considered in the past few years, from airline security methods to national ID cards. With a combination of funny yet pointed anecdotes, clear statistics and the occasional Harry Potter reference, Schneier uses his talent for cogent, rational explanation to show how people can think about security in the modern world, instead of simply panicking at every ominous news report.
To Read Or Not To Read So it sounds like a good book and probably would be for some, but there was not enough new content for me to make it worth my limited reading time. Perhaps due to my general interest in security or just because waiting in line at the airport has already given me a lot of time to think, but I have already considered most of the ideas Schneier raises in Beyond Fear. I own a shredder, but not an alarm system, because I have considered the risks and costs. I dislike the idea of a National ID card because I was already afraid of what someone might do who got access to it, and already monitor my credit report. I have written my local representative that while his recent bill to remove SSNs from insurance cards is nice, it's far too late (and how about just getting people to stop using SSN's as passwords?).If this describes you, skip the book. However you might note above I didn't say this was a waste of my money. This book is soon going to find its way into hands of friends and relations who need to think about security. It is a great introduction to a way of thinking that is critical in a post-9/11 world. It should be required reading for members of Congress before any more security laws are passed based only on the need to do something instead of rational thought.
Summary If you think consciously about security, know who Schneier is, or have ever noticed (and complained) that many airport security measures make no sense, you probably don't need this book. If you have only considered this topic in general, though, and want a book to focus your thoughts, Beyond Fear will do that. Finally, if you have friends who don't yet think this way (admit it, we all do), get this book into their hands.You can purchase Beyond Fear from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Prepare to be dazzled! Well, as Timothy already mentioned, the name of the book that I read was Beyond Fear: Thinking Sensibly About Security In an Uncertain World. [Reads from back cover] It's about these ... fears. Fears... with security issues ... and ... mehtods for dealing
with them ...
and
statistics ... Did I mention this book
was written by a guy named Bruce Schneier? And published by the good
people at Copernicus Books. So, in conclusion, on the Slashdot scale of one to
ten,
ten being the highest, one being the lowest, and five being average, I give this
book ... a seven. Any questions? Nope? Then I'll just sit down
I am sure most Slashdot readers know Schneier's name and his work.
Are you makin fun of me? Do I look funny to you?
As a computer person, I don't consider myself a great conversationalist. And I agree that I've already thought about a lot of the issues Schneier brings up in "Beyond Fear."
However, most "normal people" relate well to anecdotes, and general examples, and this book is full of them. Instead of trying to describe how 256 bit keys are safer than 64 bit keys to non-technical friends and relatives, I've learned lots of metahphors involving door locks, car theft, and every day risk assesment that will help me to get my point across a lot more clearly.
I think this is the point of this book. It's not technical. It's Security for the Everyman.
I am sure most Slashdot readers know Schneier's name and his work.
Wasn't this the guy with the cat in the lead box?
don't be afraud. consult with/trust in yOUR creator.
"It takes a long time to teach the judges, legislators, and public to understand technology. Right now, they're getting a strong dose of "education" on the Internet's threats and harms, and not hearing so much about its potential. Shouts of "piracy" often outweigh consideration of how we might communicate with more open media formats, but judges like Stephen Wilson in the Grokster case are starting to listen through the shouting. We're encouraging more people to think about how the law shapes technological innovation, how the technology itself can foster creativity, and then to do something about it to advance the public interest."--
"The stability of the large world house which is ours will involve a revolution of values to accompany the scientific and freedom revolutions engulfing the earth. We must rapidly begin the shift from a "thing"-oriented society to a "person"-oriented society. When machines and computers, profit motives and property rights are considered more important than people, the giant triplets of racism, materialism and militarism are incapable of being conquered. A civilization can flounder as readily in the face of moral and spiritual bankruptcy as it can through financial bankruptcy."
STILL, the ONLY 'controversy' about the gpl, gnu/linux, etc..., is coming from the phonIE payper liesense softwar gangster stock markup FraUD execrable/walking dead contingent.
Because most people here are die-hard capitalist conservatives who'll never get over their fears.
This came true on a national scale with 9/11 of course. The public went whole hog for the idea of airport screeners but those airport screeners have the brains of a mall security guard.
I'd love to see a simple process for evaluating new proposed 'security' practices in my organization to help debunk the idea that these proposals provide any security at all.
Hmm....so open-minded, rational people don't need to read this book, and irrational, knee-jerk reactionaries by definition won't read it, or won't be convinced. By the reviewer's logic this book is perfect....for noone.
But seriously, I can't imagine convincing an Ashcroftian to sit down and consider the other side, but I might read it just for some common sense ammunition. You know, some security...against those...who..want..more..security... Uh, yeah.
1. Don't own a car/house/boat/gun or anything else
that requres registration/ownership title
2. Be part of shared household (live with
housemates who are similar minded).
3. Use cash to pay your share of rent/utilities
4. Use throw-away cell phones paid with cash
5. Use calling cards vended for cash via
vending machines
6. Use cash on bus/train; don't use monthly or
annual passes with your name associated with
them
7. Work for cash (under the counter or freelance)
9. Travel via thumbing. Don't use train/plane/
intercity bus. In some places you can go far
via local bus to local bus.
10. Get around as much as possible via bike/skate/
walking.
Cleara
I don't understand why Americans are so afraid of national ID cards. Where I live we have standardized national ID cards that are used in most situations, and I can't say how it has made me any less free.
In the modern world, we are counted and registered with our government. What is wrong with having a standardized card to show who we are?
I don't know if these cards would stop anybody from crashing airplanes, but they do help against things like identity theft, which is quite common in America but almost unheard of here. We don't have to have "three kinds of photo id" to go to bank, we don't consider our mother's maiden name or SS#'s security secrets, and we don't need to bring the electic bill to rent a movie.
Granted, my country is much smaller than the US, but I would support having an EU wide Identity card standard. I cannot see sensible argument against it.
This might seem like common sense, but a IMO *lot* of otherwise Clueful people could use having this sort of process tatooed in reverse on their forehead so they'd have to review it every morning when they looked in the mirror.
The trouble with any job that involves detail and careful attention is that the forest tends to duck behind all the damned trees, and this is especially true for IT. Hell, look at all the /.'ers in our recent discussions about programs or products that are "useless" or "should have waited longer to be released" because it doesn't provide absolute security, whereas in reality security is a *step by step* type of deal, not one of absolutes.
Anyhow, in my experience it often benefits even the "experts" to have the blatently obvious spelled out in this way and laid out before them. Security isn't alone here -- this goes for just about all disciplines, IT or not. Given that, I think it's dangerous to dismiss something like this as too basic.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I am sure most Slashdot readers know Schneier's name and his work.
Oh sure,if he's from soviet russia and he, for one, welcomes 1-2-3-profiting from first posts, I'm sure most Slashdot readers know him.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
No. We aren't all born with the knowledge of obscure technologists here.
Bruce Schneier is well known as an expert in security and cryptography. In particular, he is possibly best known for writing the bible of cryptography: Applied Cryptography.
For other examples of his work, see here.
Fear is a strong word. I don't think getting an alarm system is evidence that you are cringing in fear, or even feeling fear. It may be a sensible step in a practical plan to simply be prepared. Obviously there are exceptions; some people truly are fearful, but I doubt most are.
One mistake Schnier tends to make is to ascribe certain thoughts to others that may not be there at all. For example, he seems to think that anyone who has a security system of any kind (software, hardware, etc.) assumes that system will be invincible. He then goes on to attack that assumption, without stopping to realize that the assumption he is attacking is not one that is actually held by most people. Now his new attack, on "fear" this time (that he thinks everyone with security systems must have), is of the same form.
However, over the years his all-or-nothing approach has mellowed, fortunately; since he is so influential, it's good that he is starting to see things less as black and white and more in terms of tradeoffs. The old view that poor security equals no security is easily debunked by pointing out that virtually all security systems in place everywhere are penetrable, yet they remain effective in the aggregate.
Bottom line: Beyond Fear is just a good title. Let's hope he doesn't really think that locking your car door is firm evidence that you are quaking in your boots.
This is slightly OT, but does anyone know of any good homebrew solutions for alarms? I've found a few things from google, but I'd like some personal experiences from fellow slashdotters. Along the lines of what I'm thinking is something that can tie into a spare box so that I can setup scripts to email/text mesg/whatever when the alarm goes off.
Note..it's already fairly easy to do this with motion detection systems, but I'm looking more at entry alarms on windows/doors (I know I could wire my own, but are there kits that people have used successfully?)
-WB
This is precisely why I don't bother with any encryption that isn't built in. Browser encryption - fine. Using PGP or RMSPG on my email -- as Dogbert asked, "Who would want to read your mail?" There is too much hassle involved, just on my end, never mind getting my sister or mother in law to read encrypted email. Unless you make a fetish of it for your own sake or you're sending something genuinely worth protecting, who cares?
What I'm listening to now on Pandora...
Bruce is not an obscure technologist. He is one of, if not the, leading name in Information Security. Of course, I'm an Information Security Analyst so maybe that's why he is not obscure to me...... :)
What are you the fucking review nazi?
No book for you!
I don't need no instructions to know how to rock!!!!
A worthwhile introduction to real-world (not just computer) security, aimed at a literate but non-technical audience.
Aren't all books aimed at the literate? (Ok, excluding some popup books)
Who the hell is Bruce Schneier?
It is amusing to watch Schneier walk a political tight-rope in many chapters, carefully pointing out that some issues come down to personal value judgments. He tries his best not to take sides but I feel the work is somewhat politically biased. e.g. I object to his assertion that airline pilots shouldn't be trusted with guns, simply because that is not their primary area of expertise. And I don't agree with his model of US military intervention - basically that intervention leads to anti-Americanism which leads to more terrorism - this leaves out the potential for positive social and economic intervention to weaken extremist positions.
Not to detract from the book as a whole; I found it an eye-opening read, and am very happy it was written and published.
No, the bible of cryptography is "Military Crytology" by William Friedman. Unfortunately, its not available thru Amazon. You'll have to go to Ft. Meade MD to get a copy. If you dont know who William Friedman is, find out.
and five being average
Nine is the average (and the median and mode) for slashdot book reviews.
So it sounds like a good book and probably would be for some, but there was not enough new content for me to make it worth my limited reading time.
so, uh, did you read to book or not?
For US government regulatory purposes, the value of a human life ranges from about $1.1 million to about $6 million. (1999 dollars). The current administration would prefer smaller numbers, because environmental and safety regulations are measured against those values. (1 CFR s305-88-7). So the Enron collapse, at $40 billion, equates to about 7,000 lives.
Yet Ken Lay is still at large.
I read the book, and I wished over and over that my representatives would read it to.
Next best thing: quote it in letters to my representatives.
He's the one that quit. You'd expect a bully like him to stay in and fight it out. I wonder why that ass backed down so quickly.
Ref: Amazon has the same price as bn.
Spend $7.50 more to get free shipping.
In reality, the US has a national ID system, consisting of your drivers license and your SSN (with your birth certificate thrown in occasionally). It simply is a bad one, poorly administered, insecure, and rife with identity theft and fraud. Why doesn't it get fixed?
Who knows. Probably a combination of stupidity, xenophobia ("the Europeans are doing it--it can't be any good"), crooks like it (and they get to vote and lobby, too), and because it is enormously profitable for some, like companies that make a living out of collecting data about you, aggregating it, and providing that information to others. A good system of national IDs with good privacy legislation would make those companies redundant.
Just renounce your US citizenship but remain in SF. That way you'll now be an illegal alien. Then just head on over to the DMV and they'll print your license out for you straight away.
3 things.
/ daoudi2.html
1) William Friedman is dead. Died 1969. Quick bio: http://raphael.math.uic.edu/~jeremy/crypt/contrib
2) Military Crypto is outdated. Written at least more than 34 years ago. Most likely before 1955, when he retired from the government.
3) Military Crypto might be out of print. Hence the reason it's not at Amazon.
Applied Crypto is much more up to date. Written during the 1990's, contains C code of algorithm implementations for reference. Contains algorithms Friedman could only dream about.
Wait until the RIAA hears about this:
This book is soon going to find its way into hands of friends and relations who need to think about security
It is teh ghey conspiracy...
I am sure most Slashdot readers know Schneier's name and his work.
"Hi, I'm Bruce Schneier! You may have remembered me from my other books, 'A Long Day's Journey Out From Fright', and 'Security is a Well-Patched Mac'."
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
while underreacting to Enron, SARS, and North Korea.
North Korea I'll go along with, maybe even Enron. But SARS!? Underreacted? Were there ever more than a handful of SARS cases in the US?
-- Alastair
...quit being such a goddamned pussy. Yeah, yeah, I know... "flamebait" or "troll", but I honestly believe this. The US, especially, is increasingly full of people afraid to leave their houses, and when they do, they're armed to the teeth. I don't know what everybody's so goddamned afraid of. Michael Moore's "Bowling for Columbine" suggested this in a roundabout way, but I believe, that that's a big problem with the US. Everybody's becoming scared of their own shadow. Afraid of terrorists. Afraid of crime. Afraid of "cyber attacks" (this is beyond ridiculous). I suggest quit being such a goddamned pussy, that's what I suggest.
I agree. Anybody who says that SARS is something to be afraid of watches too much goddamned TV.
You could have dreamt up the stealth plane that was designed in 1970s?
Do no underestimate the military research...
BOO! TERRO
I have written my local representative that while his recent bill to remove SSNs from insurance cards is nice, it's far too late (and how about just getting people to stop using SSN's as identifiers?
The cat's out of the bag already. Pretending that SSN's are somehow secret was dubious enough thirty years ago, but is just plain reckless today. It's this coy game of 'if you know your SSN you must be you even though we know that's not true' that has allowed identify theft to proliferate.
Instead we need to just say, "this is my National ID # - use it for whatever you damn well please" - at that point people will have to start looking for real security solutions instead of the crazy half-baked ineffective one they're trifling with now.
Of course, this can't be done electively - there needs to be a national cutover date with probably 2 years notice (then at least 2 years of delays). All that needs to be done is to get Congress, the IRS, the President, and 'Privacy Advocates' on board. No problem.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Didn't he play the cop in all those Jaws movies?
I also liked him as Heywood Floyd in "2010".
I have something in common with Stephen Hawking...
From time to time we hear of drunk pilots being dragged off the plane. All it takes is one wingnut pissed off about paying child support and we have a big problem.
Better to keep the pilots unarmed. Have air marshals on random flights, and secure the cockpit door vs. even them.
Guys like Bernie Ebbers or the Tyco looters commit the finanicial equivalent of tens of thousands of bank robberies. What are the chances they'll spend as much time in jail as the average bank robber?
Expanding a vast wasteland since 1996.
I teach security to novices, and I have found Bruce's books extremely useful resources. As soon as read Beyond Fear, I incorporated some of his ideas in my lectures (although I expanded the 5-step process to 6 steps for the students). Well recommended.
I was chief architect several years ago at a pioneering (and now dead) movies-over-the-net company. Beyond the technical issues involved, our biggest problem was movie-industry execs who insisted on "absolute, guaranteed, unbreakable" security. Needless to say, this was a bit of a stumbling block, as there's no such thing.
When I gave security-related presentations to non-techies, I got in the habit of asking for a show of hands asking who had locked their front door when they left home that morning. Needless to say, all hands went up. I'd then point out that a thief could break a window, tunnel through a wall, dig up through the floor, cut a hole in the roof, or batter down a door if they were determined enough to get inside...so why did they bother locking the front door? Thinking about this got people into a more reasonable mindset to discuss cost/benefit ratios and attack scenario analysis.
When all you have is a hammer, everything looks like a skull.
It has been found however that people of south asian descent often carry a gene that makes them much more suspectible to SARS, which is part of the reason it caused so much havoc over their and hardly anywhere else.
It didn't cause havoc. I don't think that it killed more than 200 people. That's the point. People just eat up this fear coming from the media.