Slashdot Mirror
Beyond Fear
He then goes on to apply this method to a series of security issues while covering the various types of security and their weaknesses. For the most part this not a technical evaluation of the tools used, but rather an analysis for each example of what the security goals are and how the tools and technology achieve or fail to achieve those goals. Even more importantly, he deals with the tradeoffs inherent in any security system.
Schneier applies this method not only to the global issues that have come up since 9/11, from airline security to protecting government secrets, but also to personal issues, including tradeoffs in personal home security. By doing so, he takes principles which might be hard for some to understand in the abstract and makes it clear how they apply in situations almost everyone has thought about.
By drawing parallels, for instance, between how you might select a home alarm system to how you might evaluate the use of face recognition at the airport, Schneier shows that you don't have to be a security "expert" to think logically about security. He brings to the forefront the tradeoffs that you made in these personal choices; for example, the downside of dealing with deactivating an alarm system every time you come home. Then, in turn, he shows how you must consider the problem of people being falsely identified by the face recognition system at the airport.
Given this strong framework, he then uses his method to analytically and dispassionately tear apart most of the silly and stupid security methods (note my dispassion here) that have been put in place or considered in the past few years, from airline security methods to national ID cards. With a combination of funny yet pointed anecdotes, clear statistics and the occasional Harry Potter reference, Schneier uses his talent for cogent, rational explanation to show how people can think about security in the modern world, instead of simply panicking at every ominous news report.
To Read Or Not To Read So it sounds like a good book and probably would be for some, but there was not enough new content for me to make it worth my limited reading time. Perhaps due to my general interest in security or just because waiting in line at the airport has already given me a lot of time to think, but I have already considered most of the ideas Schneier raises in Beyond Fear. I own a shredder, but not an alarm system, because I have considered the risks and costs. I dislike the idea of a National ID card because I was already afraid of what someone might do who got access to it, and already monitor my credit report. I have written my local representative that while his recent bill to remove SSNs from insurance cards is nice, it's far too late (and how about just getting people to stop using SSN's as passwords?).If this describes you, skip the book. However you might note above I didn't say this was a waste of my money. This book is soon going to find its way into hands of friends and relations who need to think about security. It is a great introduction to a way of thinking that is critical in a post-9/11 world. It should be required reading for members of Congress before any more security laws are passed based only on the need to do something instead of rational thought.
Summary If you think consciously about security, know who Schneier is, or have ever noticed (and complained) that many airport security measures make no sense, you probably don't need this book. If you have only considered this topic in general, though, and want a book to focus your thoughts, Beyond Fear will do that. Finally, if you have friends who don't yet think this way (admit it, we all do), get this book into their hands.You can purchase Beyond Fear from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This came true on a national scale with 9/11 of course. The public went whole hog for the idea of airport screeners but those airport screeners have the brains of a mall security guard.
I'd love to see a simple process for evaluating new proposed 'security' practices in my organization to help debunk the idea that these proposals provide any security at all.
I don't understand why Americans are so afraid of national ID cards. Where I live we have standardized national ID cards that are used in most situations, and I can't say how it has made me any less free.
In the modern world, we are counted and registered with our government. What is wrong with having a standardized card to show who we are?
I don't know if these cards would stop anybody from crashing airplanes, but they do help against things like identity theft, which is quite common in America but almost unheard of here. We don't have to have "three kinds of photo id" to go to bank, we don't consider our mother's maiden name or SS#'s security secrets, and we don't need to bring the electic bill to rent a movie.
Granted, my country is much smaller than the US, but I would support having an EU wide Identity card standard. I cannot see sensible argument against it.
This might seem like common sense, but a IMO *lot* of otherwise Clueful people could use having this sort of process tatooed in reverse on their forehead so they'd have to review it every morning when they looked in the mirror.
The trouble with any job that involves detail and careful attention is that the forest tends to duck behind all the damned trees, and this is especially true for IT. Hell, look at all the /.'ers in our recent discussions about programs or products that are "useless" or "should have waited longer to be released" because it doesn't provide absolute security, whereas in reality security is a *step by step* type of deal, not one of absolutes.
Anyhow, in my experience it often benefits even the "experts" to have the blatently obvious spelled out in this way and laid out before them. Security isn't alone here -- this goes for just about all disciplines, IT or not. Given that, I think it's dangerous to dismiss something like this as too basic.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Fear is a strong word. I don't think getting an alarm system is evidence that you are cringing in fear, or even feeling fear. It may be a sensible step in a practical plan to simply be prepared. Obviously there are exceptions; some people truly are fearful, but I doubt most are.
One mistake Schnier tends to make is to ascribe certain thoughts to others that may not be there at all. For example, he seems to think that anyone who has a security system of any kind (software, hardware, etc.) assumes that system will be invincible. He then goes on to attack that assumption, without stopping to realize that the assumption he is attacking is not one that is actually held by most people. Now his new attack, on "fear" this time (that he thinks everyone with security systems must have), is of the same form.
However, over the years his all-or-nothing approach has mellowed, fortunately; since he is so influential, it's good that he is starting to see things less as black and white and more in terms of tradeoffs. The old view that poor security equals no security is easily debunked by pointing out that virtually all security systems in place everywhere are penetrable, yet they remain effective in the aggregate.
Bottom line: Beyond Fear is just a good title. Let's hope he doesn't really think that locking your car door is firm evidence that you are quaking in your boots.
Here's a book idea: Come up with metaphors for computer-related ideas which will stand up reasonably well even as the user/cluebie/PHB makes assumptions based on them. I'd buy two compies, one for work and one for home, and keep 'em right next to the phone. I can't tell you how often it'd be useful...
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
This is precisely why I don't bother with any encryption that isn't built in. Browser encryption - fine. Using PGP or RMSPG on my email -- as Dogbert asked, "Who would want to read your mail?" There is too much hassle involved, just on my end, never mind getting my sister or mother in law to read encrypted email. Unless you make a fetish of it for your own sake or you're sending something genuinely worth protecting, who cares?
Well, the idea is if you only send important email in encrypted form, then the important email is easy to spot and brute force. But if you encrypt everything, then brute force is not such a viable option.
That's the idea anyway, but I'm with you. I tried to use PGP for a while, but none of the people I emailed had any idea what it was, and didn't have the inclination to learn.
For US government regulatory purposes, the value of a human life ranges from about $1.1 million to about $6 million. (1999 dollars). The current administration would prefer smaller numbers, because environmental and safety regulations are measured against those values. (1 CFR s305-88-7). So the Enron collapse, at $40 billion, equates to about 7,000 lives.
Yet Ken Lay is still at large.
I have written my local representative that while his recent bill to remove SSNs from insurance cards is nice, it's far too late (and how about just getting people to stop using SSN's as identifiers?
The cat's out of the bag already. Pretending that SSN's are somehow secret was dubious enough thirty years ago, but is just plain reckless today. It's this coy game of 'if you know your SSN you must be you even though we know that's not true' that has allowed identify theft to proliferate.
Instead we need to just say, "this is my National ID # - use it for whatever you damn well please" - at that point people will have to start looking for real security solutions instead of the crazy half-baked ineffective one they're trifling with now.
Of course, this can't be done electively - there needs to be a national cutover date with probably 2 years notice (then at least 2 years of delays). All that needs to be done is to get Congress, the IRS, the President, and 'Privacy Advocates' on board. No problem.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This goes back to a smug, complacent nation that has not, for over two hundred years, had to deal with the daily brutality experienced by people in the majority of other nations. By simple numbers the normal state of humanity, worldwide and throughout its entire history, is one of abject misery. We've always felt ourselves a protected class, here in the United States, and thanks to the good work of our Founding Fathers and a couple centuries of isolationism we pretty much were. Then we got involved in world affairs and we aren't as "safe" anymore.
... so what. There really isn't a whole lot you, me, or the rest of the population can do about terrorists. Worrying about it and losing sleep is utterly counterproductive. Worry about the bald tires on your car or those squeaky brakes: those are much more credible and immediate threats.
But
To continue the analogy, when I'm a passenger in a car, I try to be alert and watch what's happening around me because there is a real possibility that I could do something to avoid an accident. Conversely, when flying on a jetliner, I typically take a nap. Why is that? Because, while there is still a finite risk of sudden death, if that plane decides to prematurely stop flying and bury itself in a mountainside I'm toast whether I'm wide awake or out cold. So, I simply don't concern myself about negative outcomes and doze off or read a book.
It is important to focus our worries and concerns in areas where they will actually do some good. Unfortunately, I don't see that happening. Since 9/11 I have heard numerous public officials make statements like "We have to make people feel secure so they'll go back to work." Notice they never say they'll actually make us more secure, they just want us to feel more secure so we'll get on with our lives and so the economy won't plummet again. It's a national con job that has taken in a lot of people, but I can't even say that they're wrong in doing it. People were freaking out about the attacks and something needed to be done, I guess.
Compare what our lives, even now after 9/11, to what the Israelis and Palestinians suffer each and every day of their lives. The possibility of sudden death at an enemy's hand, of being blown into very small pieces while eating one's lunch, is very real and very much a part of their daily routine. We are still terrified about something that happened a couple of years ago. Yes, it is pathetic. Get out and live your life, that's what I say.
The higher the technology, the sharper that two-edged sword.