Slashdot Mirror
Schneier on Security
brothke writes "There is a perception in both the
private and government sector, that security, both physical and digital, is
something you can buy. Witness the mammoth growth of airport security
products following 9/11, and the sheer number of vendors at security
conferences. With that, government officials and corporate executives
often think you can simply buy products and magically get instant security by
flipping on the switch. The reality is that security is not something
you can buy; it is something you must get." Keep reading for the rest of Ben's review.
Schneier on Security
author
Bruce Schneier
pages
336
publisher
Wiley
rating
10
reviewer
Ben Rothke
ISBN
978-0470395356
summary
The best articles from one of security's best
Perhaps no one in the world
gets security like author Bruce Schneier does. Schneier is a
person who I am proud to have as a colleague [Schneier and I
are both employed by the same parent company, but work in different divisions,
in different parts of the country]. Schneier on Security is a
collection of the best articles that Bruce has written from June 2002 to June
2008, mainly from his
Crypto-Gram
Newsletter, his
blog,
and other newspapers and magazine. The book is divided into 12 sections,
covering nearly the entire range of security issues from terrorism, aviation,
elections, economics, psychology, the business of security and much
more.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Two things:
First, Van Gogh painted Bruce Schneier's portrait over a hundred years ago.
Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.
Secondly, I want to point to an afterward to Cory Doctorow's Little Brother. Bruce Schneier writes:
That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.
Free Martian Whores!
I didn't think that was possible.
The price is usually money, time, emotional energy, study, and perhaps reduced functionality.
Then again, that's probably the point of the book.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"Buying" security is easy, because throwing money at a problem is always the simplest path.
Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..
[Fuck Beta]
o0t!
I can't wait until this guy starts doing late night infomercials. If there is one thing Bruce its really good at...it's marketing. I remember when he gave me an autographed copy of Secrets and Lies for dropping 20 grand with Counterpane....I will cherish it forever
People who bite the hand that feeds them usually lick the boot that kicks them
I've learned over time working in many companies that security isn't important. What is important is the perception of security to the auditors, the clients, and the management. That's the key.
If Chuck Norris tried to break Bruce Schneier's security, what would happen?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.
I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.
Terrorism is the result of very desperate people who have lost all hope and feel powerless. The Middle East and its people have been shit on for a couple of millennia; whether by western powers, other in the Middle East (Persians and Turks), Asians. These are people who have felt shit on by the World and there's nothing they can do about it. The creation of Israel was the straw that broke the camels back - so to speak.
To make a long story short, if we gave autonomy to the Middle east (Oil supplies be damned!), meaning pull out completely. I think terrorism would stop or at the very least, decrease dramatically.
I also disagree with folks who think that if we were to leave the Middle East, others would gain control of the Oil thereby sending us into a depression or putting our military and defense in jeopardy. It won't happen.
"Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it? " The United States is slowly resembling one of those padded rooms....
"The reality is that security is not something you can buy; it is something you must get.""
WANTED: One security professional who knows what the hell they're doing. Please apply at the door.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
Seriously, if we all donated a few cents via PayPal, would this guy just STFU and go away??? He's as bad as Paul Graham.
If you don't understand that you can post the name of the 3-letter agency while using an anonymous account, you can't be much of a cryptographer.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Come on, I read this and it's not very good. And I'm a professional cryptographer working for a 3 letter agency.
Wow. I am positively blown away by the sheer credibility of your post.
I just have to say it again. Wow.
Anons rule.
Baboons are cute.
Schneier and I are both employed by the same parent company
[X] Brownnosing in progress
[ ] Fair and balanced book review
I've always wondered how often a single article could contain the words "Bruce Schneier", and you have just met my wildest expectations/p
I disagree - I read it and it's the best thing ever written. And I'm CTO for all of the 3 letter agencies.
He simply decrypts the truth.
http://www.betterworld.com/list.aspx?SearchTerm=Bruce+Schneier
and save the planet while you save your a**
http://www.betterworld.com/custom.aspx?f=impact :-)
It doesn't do much good to point all this out. Security theater serves the interest of people who make the decisions and real, effective security does not. How do you make decision makers care about effective security? I don't know. Decision makers are almost entirely immune from the consequences of their decisions.
I'm checking NKB and NSB to answer this troll (biters anonymous here I come). But as a Christian, I take offense at what this idiot is posting.
Mom, I'm going to go fuck a hooker
Assuming the kid is not married, I find nowhere in the bible that the poster has obviously never read that says fucking hookers is a sin. I bet the troll who posted this is a four hundred pound glutton, that IS a sin.
Afterwards, I'm going to go smoke pot with my friends, since it's "not addictive."
Drugs aren't even mentioned in the bible, nor is addiction! The only drug mentioned is alcohol, which is said "give wine to the sad and strong drink to the dying".
Hi, honey! I'm pregnant again. I guess I'll just get another abortion, since "fetuses don't count as human life."
First, abortion is a personal matter between the man, woman, and doctor. Second the bible doesn't say when life begins. I personally would not want my own progeny aborted, but Christ said "why do you try to pluck the speck from your brother's eye when there's a beam [ceiling joist] in your own eye? First remove the beam from your own eye so you can see to remove the speck from your brother's."
There are two gay men fucking eachother in there
That's also 1. none of your fucking business and 2. not even mentioned in the New Testament.
The athiest couple quickly put on a pair of black robes and hoods.
That's some really offensive bullshit. Beg for God's forgiveness, you intolerant asshole. That isn't how any athiest I know is.
I've seen this troll before and the only reason I'm responding is to point out that Christians don't troll although some people who pretend to be Christian do.
Free Martian Whores!
So you give it a two?
Free Martian Whores!
People responsible for things like airport security are ultimately bureaucrats. They are not experts, nor do they have the time or attention to get down to brass-tacks. The only thing they can do is throw money at the problem.
This how everything works from Airport Security, to product development and Q/A, to passing Financial Bailout legislation.
People who are in-charge of things often are 'executives' - meaning that they oversee a "big picture". These are usually people who are not experts in specific areas.
People who are experts in specific areas will rarley have 'executive' position (I use the work "executive" literally - meaning high-level overseers).
Example: a brilliant scientist spends his entire life solving equations, coming up with theories, designing and building rockets. He/she is revered in his/her work and excels, and is well know. Does this person will ultimately become a "lab fellow", or a "tenured professor", etc. etc. etc, they will not generally become the head of NASA. These are different positions, and different skillets. The "big-picture" guys are always the "political" ones. Mitt Romney would become the head of NASA before a scientist like I mentioned. And it that scientist were offered the position - their heads would be too into mathematical formulas and rocket designs to ever shift gears and worry about budgets and crap.
So the system is set up such that those at the help are the executives, not the experts.
Executives don't know any better than to react - It's only the experts that really think proactively - because that's what they do. Furthermore, executives (like in the TSA) aren't really hired to "make us safe" - they're hired to "make us feel safe".
I've been saying this for 20 years: "If we were serious about airport security, we'd do what they do in Israel". Their security is incredible, and obviously not the work of a pencil-pushing bureaucrat. They're security was obviously devised and executed by people who were heavily, heavily invested in and dedicated to it - on both professional and very personal levels. Israeli security would never take the crap that we do and call "security". 9/11 would never have taken place there for more reasons than I could count.
This is why after after Richard Reed tried to ignite an explosive in his left brown leather loafer, the TSA now mandates that everyone remove their left brown leather loafer for inspection.
If the TSA was serious, they'd make Bruce the head.
Damn it, who modded me up? Somebody please mod that comment down!
Free Martian Whores!
How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?
Every year the middle east gets ten times more money than Europe got with the Marshall Plan for the whole thing and what do they do with it?
Time for people in the middle east to quit whining and stop pissing their money away.
This is my sig.
I write code to do stuff. That's generic enough for me to continue.
When I write my code, I sit back and try to think of how people are going to try to get around the restrictions, do things they shouldn't do, etc. In other words, I think like a 'bad guy'.
I can't guess everything but if I can weed out the obvious stuff then I'm well on my way to making things that aren't going to have the security value of tissue paper, I hope.
It's kind of the equivalent of installing the best deadbolt made. On a hollow core door. You have to think it through or your dubious 'security measure' isn't all that secure.
"The reality is that security is not something you can buy; it is something you must get."
*sigh* Fine, make me do things the hard way. Who do I get security from, and how much will they charge me?
What do you mean I don't get it? Is my money not good around here?
The enemies of Democracy are
Preach on Brother Bruce!! I don't know how many times I have heard a "C" level person say something like..."So, once we buy XYZ product, we will be secure, Right?" It makes me cringe!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Actually, the bible lists when life begins, but none are consistent with each other. It lists when blood forms, when the mother first feels movement, and others.
What is not listed in the bible is anything about abortion. The closest thing I have seen listed is a miscarriage caused due to injury to a bystander of two men fighting.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Funny, that sounds like Christianity from about 500CE to 1700CE. You remember such things as witch burnings, the inquisition, forced conversions, the crusades, the murders of "heretics", etc.
The fact is that nothing you posted has anything to do with being atheist, but some of it is a very good reflection of how theists have behaved in the past and continue to behave in the present.
Take yourself for an example. I have no doubt you would murder every single person who would not convert to your particular flavor of religion and believe you are justified in doing so because you did it in the name of your god. And, you would expect to go to heaven because you repented after doing so.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Sadly, that's not an unwritten rule. It is, in fact, the 10th amendment. So that just makes it an ignored rule.
"Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack."
That is right and we can know this for certainty because if we believe Bush and his rhetoric that "Hundreds of terrorist plots have been stopped and the terrorists have been arrested" ..then where are the hundreds of trials? If there are no trials, or these plots are military "detainees" (read: "legally not prisoner"). Then why do we need civilian airport checks if civilians are not being arrested?
This HAS to be security theater, it is the only answer. Giving up your rights will not make you secure.. it will just change the threat from one thing to another. In this case you are simply moving the threat of terrorism to the threat of tyrannical state powers. Both are real. The threat of state power is much greater. You see.. our current government is "attempting" to use these powers for good.. they want to protect us.. but that government will not always be the same.. Some day we may see an administration elected that will use these expanded powers for bad things.. it's only a matter of time.
Bringing liberty to the masses. - http://freetalklive.com/
GP is clearly a troll, but you're wrong about Anonymous. Slashdot logs anonymous posts. If a TLA agency came after them, Mr. AC wouldn't be Anonymous for very long.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
why did you reply to such a dtupid posting. guy is an idouit for such a comment.
There is plenty of terrorism (or was lately) in Indonesia, Ireland, and ex-Soviet republics (true, close to the Middle East area) without involvement from the well-known (or less well known) Middle East factions.
AND...
I suppose we'll have to forget about the domestic terrorism in OK City. Or the terrorism in the Phillipines. Or Columbia. Or Bolivia, or Argentina, and gosh, the rest of S America. Forget about Africa, too. Maybe the Tamils will surrender peacefully. Maybe the Hindus will stop fighting. Will the IRA cease fire-- really? How about the Basque?
They're people that are being shit on by a state much more powerful than they are. They are being controlled by a power that they have no say in.
I should have specified terrorism against the US by folks from the Middle East in my original post.
I can't answer all of your posts because I'm an AC - and I'll stay that way.
yes, the random terrorism (e.g., Somali pirates that took over that Ukrainian freighter a couple of weeks ago) is that. But the more organized terror groups are after power.
Interesting point of view. I'll have to consider that.
More importantly, it is something that can be made expensive and trumpeted by the salesman's three best friends of Fear, Uncertainty and Doubt - leaving ample room to "reward" some of those who get to decide on spending the money of other people who cannot assess the value and actual benefit of their purchases.
The Seven Habits of Highly Ineffective Terrorists
[...]
Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terro
So this is why Schneier was in the news so much over the last few days. I figured it was the case, but I didn't bother to get it on the record. My take here is that Schneier talks a good game, but he's fond of making blanket statements. For example, the claim that there's no point to quantum encryption even though not everyone is vulnerable to social engineering and not every party can exploit social engineering equally well.
Oh yes, no true Scot^H^H^H^HChristian would ever do that.
Chernobyl 'not a wildlife haven' - BBC News
So, abandoning Israel would be a solution, in your point of view? Well, this might come as a surprise to you, but the Jews in Israel had armed groups defending themselves *before* the state of Israel came into existence.
If, in your words, "Terrorism is a symptom of very desperate people who feel that they're being shit on by someone", then if you shit on Israelis they will automatically become terrorists.
A simple look at Google Earth will show the Arab-Israel border by the color of the land, Israel is greener than its Arab neighbors. If I were given the power to decide who should live on that land, I would give it to the people who treat the land better. The Arab Muslims won the biggest lottery on earth, in the form of a few trillion dollars in oil. If they cannot separate the tiniest amount of that enormous wealth to help a few million Palestinians, while Jews around the world have contributed so generously to Israel, let the Israelis have that land, they have earned it.
No, your solution to the terrorist problem is both unjust and ineffective.
One example of a company which was shut down was Yahoo. For a single day, when that infamous script kiddie started showing off his leet DDoS.
But more to the point is that, for every theatrical show trial (Mitnick comes to mind), ALL businesses go along with the Prosecutor and parrot what he says to boost the supposed amount of damages incurred. IIRC, Sun claimed that Mitnick did $75 Million in damages, by "stealing" the Solaris Source Code for his own use. The list goes on. But there is a magic number which needs to be hit, and all businesses are eager to make up large numbers when they get hit.
Add to this list the amount of damages which occur when Credit Card (and other) data is stolen. This happens ALL the time, and is reported in the news frequently (monthly, weekly now?). This can cause immense harm to the people involved. But seemingly, not much harm to the Company involved.
So, add to the concept of Security Theater the concept of Judicial Theater. And you're right, things won't change in the former until there's some change in the latter.
So, terrorist organizations are nothing but gangs?
That's what it sounds like to me.
The above is just complete conjecture. The author has absolutely no data to back up his claims. he original author is a fraud. The original author was just blaming Muslims for the problem of terrorism in a very obfuscated way: with an academic sounding paper.
Why care about terrorists when a company or bank CEO can do much more damage to much more people?
Are those beign blacklisted too? Just because they don't grow a beard doesn't mean they aren't dangerous...
When did Schneier get fired? That should tell volumes more than the echo of thought and distaste in his book. I'll be looking to buy it to find out what his financial theory of the bailout concerns. So far, Slashdot keeps shooting down all the Stories in Firehose that discuss the bailout in detail.
Here is one that is getting shot down again: http://slashdot.org/firehose.pl?op=view&id=1317023
Also, ever consider the spook "wannabe" was operating on defective Intelligence not lack of intelligence?
It's called transferring risk.
Absolutely. And insurance is the classic mechanism for transferring risk. Schneier develops this idea extensively in "Secrets and Lies."
An insurance policy coverts a set of risks into a fixed expense for a period of time. It can do so even when those risks are due to events outside your control. You cite some great examples.
But insurers may charge a higher fee for unmitigated risk, or they may not agree to underwrite the risk at all if mitigations are not performed. For example, here in my apartment building we have to perform annual fire inspections or we don't get to renew our insurance. Schneier predicts that this kind of pressure is what will ultimately create change in the information security space.
So what are those specific mitigations? Well, they are the ones which actually decrease risk. The insurance industry has no interest in security theatre, it wants the real thing, because its profitability is directly linked to getting security right.
In practice, you, as the insured party, will have to demonstrate that you have applied appropriate mitigations. The wrinkle here is that, where effective security is concerned, what is appropriate for you is not necessarily appropriate for someone else. This is what Schneier means about not being able to buy security.
The statement is not such an exercise in hyperbole as you might think. It's very hard to fix bad security if it's part of your core processes. Yes, you can pay for security consulting services, and I think you're absolutely right, those services will rarely be effective without accompanying education. Otherwise, people fall back to their old ways.
But I'd argue that education itself is not enough either. It's equally important, and difficult, to design human and machine processes to be secure by default, and to have well defined roles, effective identity, effective containment, and so on for progressively relaxing that default. To apply the obligatory car analogy, we have to educate people to drive on the righthand side of the road, but we should not also put the ejector seat button next to the stereo. If there is no button, the question of when to push it never comes up.
But organizational processes vary greatly from one organization to the next. Maybe your organization is more analogous to a fighter aircraft than a car. Maybe it needs that ejector seat. You've got to be at least willing make that determination. Get help, but take on that responsibility. That's what Schneier means, I think, by "getting" security.
I agree, the real educational effort should go toward reducing the number of stupid ideas that get proposed in the first place. In other words, it has to be pervasive, and in hierarchical organizations, that means it has to travel from the top down. I predict that will start to happen the instant there's a fiscal impact, for example, higher insurance premiums. But for now, as long as the senior people are not educated about security, there will continue to be a lot of downloading and blaming, and not a lot of effective transformation.
Parity: What to do when the weekend comes.
The Constitution doesn't violate the basic unwritten rule that the government should be granted only limited powers, and for limited purposes.
The 10th Amendment clearly wrote that "unwritten rule":
The rest of the Constitution is perfectly consistent with that written rule, though the 10th Amendment does make it explicit, as seemed prudent to those who wrote and ratified the Bill of Rights so there'd be no doubt that the Constitution protected those rights.
I don't really know what that paragraph I quoted from this review is even supposed to mean. Nor have I read this latest book by Schneier. But I also have read much of Schneier's writings over the past decade plus, including some of his other books (yes, starting with _Applied Cryptography_), and even some direct email correspondence, and I do not believe that Schneier says that the Constitution violates an unwritten rule of limited government. Schneier knows as well as anyone that the Constitution is the exemplar document of inherently limited government, as the Constitution itself says, which is such rock solid conventional wisdom that it's a cliche.
--
make install -not war
It's sometimes useful to draw a distinction between Christianity as a religion and the churches that have advanced it.
if you can't figure out which three letter agency he means, you musn't be very good. unfortunately, he doesn't understand that he's not the intended audience for this book.
I have literally had insiders tell me that security is not even on the table in considering what needs to be done to implement ePedigree. They are concentrating on things like cost of RFID tags, speeds of readers, databases, etc.
While these are indeed valid considerations, I have pointed out on numerous occasions that they are dealing with a huge criminal force who have armed themselves with some very good hackers and who can easily afford to pay these same hackers to break the ePedigree systems. I have shown them how easily some of the RFID tags they have chosen can be cloned, and pointed out several weaknesses along the entire chain, and they simply stare at me with blank looks on their faces and tell me that they are sure their IT department will deal with the security issues if any should come up.
The sad reality is that the ePedigree is mandated by the government, and there is no security requirement, so they are simply looking to implement this very costly system at a bare minimum. What they do not know (and perhaps do not care to know) is that the weak security in the implementation will actually create a worse situation than currently exists for these companies, will actually make it EASIER for counterfeiters to get their products into the market, and will create new subversive business models.
Security exploitations are driven by motivation. Some are motivated by curiosity, some by vindictiveness, and others by greed. Greed is perhaps the biggest motivator of all.
Hopefully I will not have to deliver the "I told you so."
A Scotsman is someone who is born or lives in Scotland. If you're a Scotsman, the only way to NOT be a Scotsman is to emmigrate, and even then it can be argued you are still a Scotsman. A TRUE Scotsman. To argue that someone born in Scotland and lives in Scotland is not a "true" Scotsman is a fallacy. It's like some right winger saying "A REAL American would not argue that we should be in Iraq". It is a fllacy.
Being a Christian is a choice, more like being a Democrat. It is not the same.
Free Martian Whores!
The point is that you do not get to decide whether someone else is a Christian any more than you get to decide whether they are a Scotsman, they get to decide if they are a Christian. Even imperfect Christians are still Christians, aren't they?
Chernobyl 'not a wildlife haven' - BBC News
http://geekz.co.uk/schneierfacts/fact/1057
Well that's the thing, Christians ren't perfect, they're saved. But if you see a guy kneeling before a golden calf you can be pretty sure he's not a Christian, no matter what he says.
A lot of people go to church to be seen by others and be percieved as Christains by other people, even though they don't really believe in God.
"You cannot serve both God and mammon" but how many people claim to be Christians while worshiping money? If I see someone deliberately harming another person you're going to have a hard time convincing me he's a Christian.
Free Martian Whores!
Comment removed based on user account deletion
Max Abrahms http://maxabrahms.com/cv.html
I would say that's not the point at all. The "no true Scotsman" fallacy isn't really a distinct fallacy, its either a case of circular argument or equivocation. If there is an agreed upon definition of "Scotsman" that applies to the given discussion, its perfectly legitimate to point out that an trait asserted to be associated with at least some Scotsmen is, in fact, inconsistent with that definition and thus, no true Scotsman has that feature.
Where it becomes problematic is:
1) Where no such definition exists, and the proposition being debated is precisely whether or not the trait involved is a trait of at least some "Scotsmen". In this case, its something of a circular argument, but it also can reveal that a fundamental problem in the discussion is the ambiguous definition of terms.
2) Where such a definition does exist (or at least, where a different definition of "Scotsman" is being used in the discussion), but the definition which excludes the trait from any "true Scotsman" is a different definition of Scotsmen. In this case, the fallacy is one of equivocation.
The principle problem that usually arises with "no true Scotsman" style arguments is where the person using them is making an argument that is trivially true for some definition of "Scotsman", but where the real interest in the discussion is in a different definition (or where, simply, the difference in definitions isn't that one is the "more interesting" one for the discussion, but instead just reveals that the participants are talking past each other about two or more completely different things.) It is not that one definition is necessarily objectively correct; there are many different, legitimate definitions of many terms ("Christian", for instance, can usefully defined by self-identification, by adherence to particular belief sets, or by participation in particular groups, and for each of those there are places where those are interesting and useful definitions), the key is that in a discussion, to be productive, people have to be applying the same definitions to the same terms.
Anyone who claims to have a "lock" on computer security-the playbook on "Risk Management"-is nothing but a fool. The sheer volume and complexity of data that is captured and the wide variety of data transport methods make it not just unlikely but impossible for the US government to effectively keep track of all threats made against both the physical and cyber critical infrastructure of this country. The Bush administration has made grand statements of how they will stop any adversary by using military power abroad. The results? ZERO!
I have great respect for Schneier as a computer security expert. Applied Cryptography was wonderful. But Schneier errs in thinking that physical security is the same thing as cyber security, and that his computer/crypto expertise somehow extends to the physical world.
A lot of geeks share Schneier's fallacy. And since geeks tend to be a lot smarter than the folks in charge of real-world security, the tendency to false superiority is magnified. But intelligence is not the whole story. There is also experience and instinct.
Some of the key differences:
If Schneier (or any computer geek) were in charge of airport security, I'm pretty sure we would have had another terrorist incident since 9/11.
I think the reviewer accidentally typed in the wrong word. Instead of saying that the balance of powers and checks and balances etc violate the unwritten rule that government power should be limited, he meant to say that these features of the Constitution *validate* the unwritten rule ... (or 'give expression to', or 'implement' or 'serve' - but I try to think of a word looking a bit like 'violate' to figure out how he got to it)
The 10th amendment reserves power to the states or the people, but does not necessarily limit government (since the states have governments too!)
Perhaps they typed a "braino".
The 10th Amendment does limit government, by referencing the set of powers not assigned to either the United States, or to the several states, which are assigned to the people. There is no other category. It also carves out the niche for states' powers, by establishing the basis for explicit Federal limits to them, but again only as explicit. That brief formulation makes clear that the Federal government's powers, even when powers over the states, exist only where explicit. That is an express basis of inherently limited government. As opposed to inherently unlimited government that would be limited by law, which was the model for governments (eg. unlimited monarchies reined in by laws) previously.
FWIW, the Constitution is scoped to only the Federal government, so its omission of limits on state governments is no indication of any lack of inherent limitation of "government" that might be exercised in a state. Your observation does indeed indicate, though, that states are not necessarily bound to the inherently limited government model. The Constitution does not say that a state cannot have a monarch. However, each state's constitution does mirror the Federal Constitution's formulas, AFAIK. But I suppose that if, say, Texas amended its constitution to produce a hereditary dynasty of "Bushes" who function as divine emperor, we'd have a really big, but legal, problem on our hands.
--
make install -not war