Slashdot Mirror
Schneier on Security
brothke writes "There is a perception in both the
private and government sector, that security, both physical and digital, is
something you can buy. Witness the mammoth growth of airport security
products following 9/11, and the sheer number of vendors at security
conferences. With that, government officials and corporate executives
often think you can simply buy products and magically get instant security by
flipping on the switch. The reality is that security is not something
you can buy; it is something you must get." Keep reading for the rest of Ben's review.
Schneier on Security
author
Bruce Schneier
pages
336
publisher
Wiley
rating
10
reviewer
Ben Rothke
ISBN
978-0470395356
summary
The best articles from one of security's best
Perhaps no one in the world
gets security like author Bruce Schneier does. Schneier is a
person who I am proud to have as a colleague [Schneier and I
are both employed by the same parent company, but work in different divisions,
in different parts of the country]. Schneier on Security is a
collection of the best articles that Bruce has written from June 2002 to June
2008, mainly from his
Crypto-Gram
Newsletter, his
blog,
and other newspapers and magazine. The book is divided into 12 sections,
covering nearly the entire range of security issues from terrorism, aviation,
elections, economics, psychology, the business of security and much
more.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
"Buying" security is easy, because throwing money at a problem is always the simplest path.
Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..
[Fuck Beta]
o0t!
And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
I've learned over time working in many companies that security isn't important. What is important is the perception of security to the auditors, the clients, and the management. That's the key.
I like the idea of security systems working against their intended purpose. It reminds me of a recent incident at the office/retail complex where I work.
There's a fountain in the middle of a round-about, the intended purpose is to entertain visitors to the resturaunts around it. This fountain had multiple signs worded "Smile, you are being recorded"; a somewhat polite reminder to behave so to speak. Of course, there aren't any places to hide cameras in the nearby buildings, and there are no cameras installed. Someone figured this out, and put soap in the fountain. Now there are no friendly warning signs.
It was surely interesting that the poster of these signs wasn't intelligent enough to figure out that the signs would not deter bad behavior, but did understand after the fact.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
Sometimes, but I don't think that it's about some smart-person-persecution system. The big problem is that, if somebody points out a security hole, it must be fixed. Even if the hole has been noticed before but was ignored because the odds of exploitation are so remote as to negate the sense in repairing it, once it's been reported it must be addressed - The risk of exploitation is now magnified greatly because of the liability lying on whoever ignores the request - Nobody wants to hear "I told you so" after a security incident. So, if the weakness is ludicrously expensive to fix and very minor, you are correct that it will probably annoy whoever you point it out to. It's not that they don't like you because you're smart, it's because they may have to do something silly or possibly face the consequences of exposed inaction.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
That's kind of messed up. Maybe you've worked in some really dysfunctional places, but just throwing in the towel is doing a disservice to everyone involved. Just be sure you do a critical assessment of what you're suggesting before voicing it formally so that you can be sure that you're really improving things instead of making them worse. Otherwise, like Schneier points out, everyone winds up removing their shoes and throwing away their shampoo as a reaction to a couple of very remote threats.
Of course, there are obvious exceptions.
He's getting rather old, but he's a good mouse.
Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
Only because people have no clue about security.
When most people hear about a security vulnerability, they do indeed think that they have two options:
1. Fix it.
2. Bury all information about it.
The reality is that the third option is the one that is frequently the right one: Acknowledge it and move on. Security vulnerabilities are everywhere. It's better to be aware of them than not. And yes it's a good idea to fix them if doing so is not overly onerous. However it is not always necessary to fix them all.
For instance a store may not put magnetic tags on the chocolate bars they sell. Is the correct solution to tag everything? No, it's probably better to rely on people's (generally) good nature, the vigilance of employees, and then simply accept that a few chocolate bars will get stolen. It is cheaper (and less annoying for customers) to accept the losses. Or a movie theater can be tricked by having people exit with already-used tickets, and bring other friends in using them. Is the correct solution to require that everyone going to the movies show ID every time they enter the theater? No, it's better to simply accept the occasional teenager who "beats the system." Oftentimes the best "security" is just social norms. (Think of how much harm you could do, how much stuff you could steal, on a daily basis if you felt no remorse.)
Many geeks make this mistake, too (possibly because they are used to thinking about computer security, where applying a fix usually makes sense because the coding cost is fairly small compared to the damage that a exploit can cause).
I wish more people understood that security is a tradeoff, so that when someone points out a security hole, the people in charge can be honest and either say "that's not a sufficient concern to warrant fixing" or "that's a good point--we'll fix that now".
Whether it can be bought or not is perhaps besides the point.
Because it can certainly be sold.
"Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack."
That is right and we can know this for certainty because if we believe Bush and his rhetoric that "Hundreds of terrorist plots have been stopped and the terrorists have been arrested" ..then where are the hundreds of trials? If there are no trials, or these plots are military "detainees" (read: "legally not prisoner"). Then why do we need civilian airport checks if civilians are not being arrested?
This HAS to be security theater, it is the only answer. Giving up your rights will not make you secure.. it will just change the threat from one thing to another. In this case you are simply moving the threat of terrorism to the threat of tyrannical state powers. Both are real. The threat of state power is much greater. You see.. our current government is "attempting" to use these powers for good.. they want to protect us.. but that government will not always be the same.. Some day we may see an administration elected that will use these expanded powers for bad things.. it's only a matter of time.
Bringing liberty to the masses. - http://freetalklive.com/
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago? There was some direct fighting between US and Iranian forces in that conflict too. Right now, the USA is occupying Iraq to the West and Afghanistan to the East. They also have bases in Saudi Arabia, Turkey and Kyrgyzstan and are propping up the regime in Pakistan. So, Iran is pretty much surrounded by US influence and the US has declared them to be evil and made demands with an implicit threat of force.
If someone fucked with my country that much, I'd be trying to kill the fuckers too.
Chernobyl 'not a wildlife haven' - BBC News
No, it's better to simply accept the occasional teenager who "beats the system." Oftentimes the best "security" is just social norms.
I would highlight this with another example. My friends and I would often go to a particular restaurant to eat. This restaurant serves popcorn to eat while waiting for the meal and they have some relatively cheap appetizers. We'd order one small appetizer and fill up on popcorn. To some people, looking from the outside, this would look like "gaming the system", where we take something intended to help paying customers and use it without paying.
However, today, not a month goes by when I don't eat there with at least a group of 6 people, and my wife and I go there all the time. Had a manager or waitress been a hardass and kicked us out, my friends and I certainly wouldn't be eating there on a regular basis today. Sometimes it's better to accept the short term loss if it builds customer loyalty.
Specifically, they were trying to turn their problem - which was a lack of awareness that they were being observed keying in the number, into his problem, which is being a busybody. One is a disciplinary offense, the other is just bullshit. But if they can make everyone feel that he has done something heinously wrong (and consequently that they have done nothing wrong themselves), they can hide the severity of their own errors in a shroud of fud. Which matters when evaluation time comes around and you're looking forward to that bonus. Nobody cares, you see, that it is instilling into people the apathy that could allow another 9/11 to happen, they're looking at goals closer to home.
Starbucks, Harbuckle of Breath.
The Constitution doesn't violate the basic unwritten rule that the government should be granted only limited powers, and for limited purposes.
The 10th Amendment clearly wrote that "unwritten rule":
The rest of the Constitution is perfectly consistent with that written rule, though the 10th Amendment does make it explicit, as seemed prudent to those who wrote and ratified the Bill of Rights so there'd be no doubt that the Constitution protected those rights.
I don't really know what that paragraph I quoted from this review is even supposed to mean. Nor have I read this latest book by Schneier. But I also have read much of Schneier's writings over the past decade plus, including some of his other books (yes, starting with _Applied Cryptography_), and even some direct email correspondence, and I do not believe that Schneier says that the Constitution violates an unwritten rule of limited government. Schneier knows as well as anyone that the Constitution is the exemplar document of inherently limited government, as the Constitution itself says, which is such rock solid conventional wisdom that it's a cliche.
--
make install -not war
Of course, since everyone just clipped the two old cards on the same lanyard, nothing has really changed with regard to security, and costs went down.
It's a win.
--
JimFive
Please stop using the word theory when you mean hypothesis.