Slashdot Mirror
Schneier on Security
brothke writes "There is a perception in both the
private and government sector, that security, both physical and digital, is
something you can buy. Witness the mammoth growth of airport security
products following 9/11, and the sheer number of vendors at security
conferences. With that, government officials and corporate executives
often think you can simply buy products and magically get instant security by
flipping on the switch. The reality is that security is not something
you can buy; it is something you must get." Keep reading for the rest of Ben's review.
Schneier on Security
author
Bruce Schneier
pages
336
publisher
Wiley
rating
10
reviewer
Ben Rothke
ISBN
978-0470395356
summary
The best articles from one of security's best
Perhaps no one in the world
gets security like author Bruce Schneier does. Schneier is a
person who I am proud to have as a colleague [Schneier and I
are both employed by the same parent company, but work in different divisions,
in different parts of the country]. Schneier on Security is a
collection of the best articles that Bruce has written from June 2002 to June
2008, mainly from his
Crypto-Gram
Newsletter, his
blog,
and other newspapers and magazine. The book is divided into 12 sections,
covering nearly the entire range of security issues from terrorism, aviation,
elections, economics, psychology, the business of security and much
more.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.
The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.
Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.
Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.
Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.
Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.
In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.
In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.
A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?
Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.
Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Two things:
First, Van Gogh painted Bruce Schneier's portrait over a hundred years ago.
Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.
Secondly, I want to point to an afterward to Cory Doctorow's Little Brother. Bruce Schneier writes:
That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.
Free Martian Whores!
I didn't think that was possible.
The price is usually money, time, emotional energy, study, and perhaps reduced functionality.
Then again, that's probably the point of the book.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"Buying" security is easy, because throwing money at a problem is always the simplest path.
Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..
[Fuck Beta]
o0t!
I can't wait until this guy starts doing late night infomercials. If there is one thing Bruce its really good at...it's marketing. I remember when he gave me an autographed copy of Secrets and Lies for dropping 20 grand with Counterpane....I will cherish it forever
People who bite the hand that feeds them usually lick the boot that kicks them
I've learned over time working in many companies that security isn't important. What is important is the perception of security to the auditors, the clients, and the management. That's the key.
If Chuck Norris tried to break Bruce Schneier's security, what would happen?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.
I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.
Terrorism is the result of very desperate people who have lost all hope and feel powerless. The Middle East and its people have been shit on for a couple of millennia; whether by western powers, other in the Middle East (Persians and Turks), Asians. These are people who have felt shit on by the World and there's nothing they can do about it. The creation of Israel was the straw that broke the camels back - so to speak.
To make a long story short, if we gave autonomy to the Middle east (Oil supplies be damned!), meaning pull out completely. I think terrorism would stop or at the very least, decrease dramatically.
I also disagree with folks who think that if we were to leave the Middle East, others would gain control of the Oil thereby sending us into a depression or putting our military and defense in jeopardy. It won't happen.
"Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it? " The United States is slowly resembling one of those padded rooms....
"The reality is that security is not something you can buy; it is something you must get.""
WANTED: One security professional who knows what the hell they're doing. Please apply at the door.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
If you don't understand that you can post the name of the 3-letter agency while using an anonymous account, you can't be much of a cryptographer.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Schneier and I are both employed by the same parent company
[X] Brownnosing in progress
[ ] Fair and balanced book review
I've always wondered how often a single article could contain the words "Bruce Schneier", and you have just met my wildest expectations/p
He simply decrypts the truth.
http://www.betterworld.com/list.aspx?SearchTerm=Bruce+Schneier
and save the planet while you save your a**
http://www.betterworld.com/custom.aspx?f=impact :-)
It doesn't do much good to point all this out. Security theater serves the interest of people who make the decisions and real, effective security does not. How do you make decision makers care about effective security? I don't know. Decision makers are almost entirely immune from the consequences of their decisions.
So you give it a two?
Free Martian Whores!
People responsible for things like airport security are ultimately bureaucrats. They are not experts, nor do they have the time or attention to get down to brass-tacks. The only thing they can do is throw money at the problem.
This how everything works from Airport Security, to product development and Q/A, to passing Financial Bailout legislation.
People who are in-charge of things often are 'executives' - meaning that they oversee a "big picture". These are usually people who are not experts in specific areas.
People who are experts in specific areas will rarley have 'executive' position (I use the work "executive" literally - meaning high-level overseers).
Example: a brilliant scientist spends his entire life solving equations, coming up with theories, designing and building rockets. He/she is revered in his/her work and excels, and is well know. Does this person will ultimately become a "lab fellow", or a "tenured professor", etc. etc. etc, they will not generally become the head of NASA. These are different positions, and different skillets. The "big-picture" guys are always the "political" ones. Mitt Romney would become the head of NASA before a scientist like I mentioned. And it that scientist were offered the position - their heads would be too into mathematical formulas and rocket designs to ever shift gears and worry about budgets and crap.
So the system is set up such that those at the help are the executives, not the experts.
Executives don't know any better than to react - It's only the experts that really think proactively - because that's what they do. Furthermore, executives (like in the TSA) aren't really hired to "make us safe" - they're hired to "make us feel safe".
I've been saying this for 20 years: "If we were serious about airport security, we'd do what they do in Israel". Their security is incredible, and obviously not the work of a pencil-pushing bureaucrat. They're security was obviously devised and executed by people who were heavily, heavily invested in and dedicated to it - on both professional and very personal levels. Israeli security would never take the crap that we do and call "security". 9/11 would never have taken place there for more reasons than I could count.
This is why after after Richard Reed tried to ignite an explosive in his left brown leather loafer, the TSA now mandates that everyone remove their left brown leather loafer for inspection.
If the TSA was serious, they'd make Bruce the head.
Damn it, who modded me up? Somebody please mod that comment down!
Free Martian Whores!
I write code to do stuff. That's generic enough for me to continue.
When I write my code, I sit back and try to think of how people are going to try to get around the restrictions, do things they shouldn't do, etc. In other words, I think like a 'bad guy'.
I can't guess everything but if I can weed out the obvious stuff then I'm well on my way to making things that aren't going to have the security value of tissue paper, I hope.
It's kind of the equivalent of installing the best deadbolt made. On a hollow core door. You have to think it through or your dubious 'security measure' isn't all that secure.
"The reality is that security is not something you can buy; it is something you must get."
*sigh* Fine, make me do things the hard way. Who do I get security from, and how much will they charge me?
What do you mean I don't get it? Is my money not good around here?
The enemies of Democracy are
Is that you, Mr. President? ;)
Free Martian Whores!
Preach on Brother Bruce!! I don't know how many times I have heard a "C" level person say something like..."So, once we buy XYZ product, we will be secure, Right?" It makes me cringe!!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Actually, the bible lists when life begins, but none are consistent with each other. It lists when blood forms, when the mother first feels movement, and others.
What is not listed in the bible is anything about abortion. The closest thing I have seen listed is a miscarriage caused due to injury to a bystander of two men fighting.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
There are foreign troops occupying their land.
Oh, you mean in Egypt? Saudi Arabia? Iran? Please, show me the foreign troops in Iran...
It's a b.s. excuse from a b.s. people that can't own up to being stupid. No wonder Obama wants to make nice with all of his buddies... liberals are just like radical islamics - no matter how much money you throw at them, they will be whining about how they are victims... when really, they are just lazy.
This is my sig.
Funny, that sounds like Christianity from about 500CE to 1700CE. You remember such things as witch burnings, the inquisition, forced conversions, the crusades, the murders of "heretics", etc.
The fact is that nothing you posted has anything to do with being atheist, but some of it is a very good reflection of how theists have behaved in the past and continue to behave in the present.
Take yourself for an example. I have no doubt you would murder every single person who would not convert to your particular flavor of religion and believe you are justified in doing so because you did it in the name of your god. And, you would expect to go to heaven because you repented after doing so.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Sadly, that's not an unwritten rule. It is, in fact, the 10th amendment. So that just makes it an ignored rule.
How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?
Because >99% of those trillions go to 1% of the population?
"Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack."
That is right and we can know this for certainty because if we believe Bush and his rhetoric that "Hundreds of terrorist plots have been stopped and the terrorists have been arrested" ..then where are the hundreds of trials? If there are no trials, or these plots are military "detainees" (read: "legally not prisoner"). Then why do we need civilian airport checks if civilians are not being arrested?
This HAS to be security theater, it is the only answer. Giving up your rights will not make you secure.. it will just change the threat from one thing to another. In this case you are simply moving the threat of terrorism to the threat of tyrannical state powers. Both are real. The threat of state power is much greater. You see.. our current government is "attempting" to use these powers for good.. they want to protect us.. but that government will not always be the same.. Some day we may see an administration elected that will use these expanded powers for bad things.. it's only a matter of time.
Bringing liberty to the masses. - http://freetalklive.com/
GP is clearly a troll, but you're wrong about Anonymous. Slashdot logs anonymous posts. If a TLA agency came after them, Mr. AC wouldn't be Anonymous for very long.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
why did you reply to such a dtupid posting. guy is an idouit for such a comment.
Iran? Is that the country that the CIA lead an organized coup which toppled the secular democratically elected government in the 70's?
More importantly, it is something that can be made expensive and trumpeted by the salesman's three best friends of Fear, Uncertainty and Doubt - leaving ample room to "reward" some of those who get to decide on spending the money of other people who cannot assess the value and actual benefit of their purchases.
Reminds me of that joke... on a trip to France, a sultan buys some masterpieces from a fine art gallery, then says: "Alright, got the postcards. Time to go buy the souvenirs!"
Circumcision is child abuse.
The Seven Habits of Highly Ineffective Terrorists
[...]
Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terro
So this is why Schneier was in the news so much over the last few days. I figured it was the case, but I didn't bother to get it on the record. My take here is that Schneier talks a good game, but he's fond of making blanket statements. For example, the claim that there's no point to quantum encryption even though not everyone is vulnerable to social engineering and not every party can exploit social engineering equally well.
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago? There was some direct fighting between US and Iranian forces in that conflict too. Right now, the USA is occupying Iraq to the West and Afghanistan to the East. They also have bases in Saudi Arabia, Turkey and Kyrgyzstan and are propping up the regime in Pakistan. So, Iran is pretty much surrounded by US influence and the US has declared them to be evil and made demands with an implicit threat of force.
If someone fucked with my country that much, I'd be trying to kill the fuckers too.
Chernobyl 'not a wildlife haven' - BBC News
Oh yes, no true Scot^H^H^H^HChristian would ever do that.
Chernobyl 'not a wildlife haven' - BBC News
So, abandoning Israel would be a solution, in your point of view? Well, this might come as a surprise to you, but the Jews in Israel had armed groups defending themselves *before* the state of Israel came into existence.
If, in your words, "Terrorism is a symptom of very desperate people who feel that they're being shit on by someone", then if you shit on Israelis they will automatically become terrorists.
A simple look at Google Earth will show the Arab-Israel border by the color of the land, Israel is greener than its Arab neighbors. If I were given the power to decide who should live on that land, I would give it to the people who treat the land better. The Arab Muslims won the biggest lottery on earth, in the form of a few trillion dollars in oil. If they cannot separate the tiniest amount of that enormous wealth to help a few million Palestinians, while Jews around the world have contributed so generously to Israel, let the Israelis have that land, they have earned it.
No, your solution to the terrorist problem is both unjust and ineffective.
Fair enough point. But let's keep some perspective.
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago?
Iraq got a lot more support from the French and Soviets during that time period than the US. Iraq was hardly a proxy for US action in the region. Although it was a natural choice to counter expanding Iranian influence. Iran had already set the tone with the US (although the US' involvement in pre-revolutionary Iran was a mistake).
There was some direct fighting between US and Iranian forces in that conflict too.
Certainly - after Iran had attacked US interests in the region. The US counter-attacked. Let's not make it appear that the US was involved in the Iraq-Iran War.
Right now, the USA is occupying Iraq to the West and Afghanistan to the East. They also have bases in Saudi Arabia, Turkey and Kyrgyzstan and are propping up the regime in Pakistan. So, Iran is pretty much surrounded by US influence and the US has declared them to be evil and made demands with an implicit threat of force.
Keep in mind that before the US declared Iran as a member of the "Axis of Evil", Iran declared the US "The Great Satan." There's a lot of finger-pointing going on. And that's lead to a lot of saber rattling. I do, however, agree that this Administration has done more rattling than required.
Why care about terrorists when a company or bank CEO can do much more damage to much more people?
Are those beign blacklisted too? Just because they don't grow a beard doesn't mean they aren't dangerous...
It's called transferring risk.
Absolutely. And insurance is the classic mechanism for transferring risk. Schneier develops this idea extensively in "Secrets and Lies."
An insurance policy coverts a set of risks into a fixed expense for a period of time. It can do so even when those risks are due to events outside your control. You cite some great examples.
But insurers may charge a higher fee for unmitigated risk, or they may not agree to underwrite the risk at all if mitigations are not performed. For example, here in my apartment building we have to perform annual fire inspections or we don't get to renew our insurance. Schneier predicts that this kind of pressure is what will ultimately create change in the information security space.
So what are those specific mitigations? Well, they are the ones which actually decrease risk. The insurance industry has no interest in security theatre, it wants the real thing, because its profitability is directly linked to getting security right.
In practice, you, as the insured party, will have to demonstrate that you have applied appropriate mitigations. The wrinkle here is that, where effective security is concerned, what is appropriate for you is not necessarily appropriate for someone else. This is what Schneier means about not being able to buy security.
The statement is not such an exercise in hyperbole as you might think. It's very hard to fix bad security if it's part of your core processes. Yes, you can pay for security consulting services, and I think you're absolutely right, those services will rarely be effective without accompanying education. Otherwise, people fall back to their old ways.
But I'd argue that education itself is not enough either. It's equally important, and difficult, to design human and machine processes to be secure by default, and to have well defined roles, effective identity, effective containment, and so on for progressively relaxing that default. To apply the obligatory car analogy, we have to educate people to drive on the righthand side of the road, but we should not also put the ejector seat button next to the stereo. If there is no button, the question of when to push it never comes up.
But organizational processes vary greatly from one organization to the next. Maybe your organization is more analogous to a fighter aircraft than a car. Maybe it needs that ejector seat. You've got to be at least willing make that determination. Get help, but take on that responsibility. That's what Schneier means, I think, by "getting" security.
I agree, the real educational effort should go toward reducing the number of stupid ideas that get proposed in the first place. In other words, it has to be pervasive, and in hierarchical organizations, that means it has to travel from the top down. I predict that will start to happen the instant there's a fiscal impact, for example, higher insurance premiums. But for now, as long as the senior people are not educated about security, there will continue to be a lot of downloading and blaming, and not a lot of effective transformation.
Parity: What to do when the weekend comes.
Another lovely phrase lost in translation. Ayatollah Khomeini labeled the US the great 'Shaitan', referring to a particular manifestation of the Devil: the Tempter.
Specifically, he meant that US culture was tempting the people of Iran into decadence and materialism. That's evil, to be sure, but not generically Evil.
Iran has been fighting a low-grade dirty war against the US and Israel since the 1980s. They have sponsored many of the most effective guerrila and terrorist organisations in the region and in the world. Their goal is definitely to reduce US influence in the region in order to allow fundamentalist Islamism to spread. In that sense, they are most definitely a threat that, occasionally, requires an armed response.
That said, nobody's interests are served when we speak in broad terms, deliberately mischaracterising the nature and the scope of the threat. It's generic terms like 'Evil' that make it difficult to engage the other levers that the US (and other nations) could usefully bring to bear on Iran to reduce the threat they present.
Diplomacy, economic engagement - both positive and negative - as well as armed deterrence all play a role. But as long as Iran is just plain old Evil, offensive measures are the only ones palatable to otherwise uninformed American voters.
Crumb's Corollary: Never bring a knife to a bun fight.
The Constitution doesn't violate the basic unwritten rule that the government should be granted only limited powers, and for limited purposes.
The 10th Amendment clearly wrote that "unwritten rule":
The rest of the Constitution is perfectly consistent with that written rule, though the 10th Amendment does make it explicit, as seemed prudent to those who wrote and ratified the Bill of Rights so there'd be no doubt that the Constitution protected those rights.
I don't really know what that paragraph I quoted from this review is even supposed to mean. Nor have I read this latest book by Schneier. But I also have read much of Schneier's writings over the past decade plus, including some of his other books (yes, starting with _Applied Cryptography_), and even some direct email correspondence, and I do not believe that Schneier says that the Constitution violates an unwritten rule of limited government. Schneier knows as well as anyone that the Constitution is the exemplar document of inherently limited government, as the Constitution itself says, which is such rock solid conventional wisdom that it's a cliche.
--
make install -not war
The author has absolutely no data to back up his claims
Not really.
Just a few tidbits from the original paper. The author looked at the data collected by RAND and found out that since 1968 - 64% of Terrorist Acts Worldwide are Anonymous.
There's a lot of stuff about these organizations being politically diffuse. For example Bin Laden's fatwas throughout the 1990's were primarily aimed at Muslims! It was only in 2001 that he talked about the US. The author cites quotes from members of Al-Qaida criticizing their own lack of direction.
The author also cites Abrams study on the success rate of political change. Which is prety bad..of twenty-eight randomly selected cases the success rate was zero.
Other stuff on how terrorism isn't being used as a "last resort" to political ends.
If terrorism is actually about gaining political change then the people involved are doing so in a very inefficient way. Even to the point of giving up gaining most of their own stated political goals.
So you have two choices here: Terrorists are irrational or they are rationally pursuant of a different goal than political change.
The author supplies a goal that better fits the data (the given data anyway) than the idea of "political change"
None there just now, but what about the US-sponsored and supplied Iraqis a couple of decades ago?
The operative phrase is... a couple of decades ago. You know, we could go back pretty far and discover that Islam was a simple Saudi religion that forcibly occupied the rest of the middle east.
There was some direct fighting between US and Iranian forces in that conflict too
Yeah, and let's call that for what it was. The Iranians tried to close the gulf to all foreign shipping in an attempt to bully its neighbors into supporting it. The USA sent in the Navy to force the gulf back open and the Iranians tried to fire on it. As a result, the USA sank a bunch of Iranian stuff and then accidentally shot down a civilian airliner which, of all intelligent things, the Iranians flew into a middle of a war zone during the fighting.
Right now, the USA is occupying Iraq to the West and Afghanistan to the East.
Iraq was in a functional state of war against the USA and the USA finished it. Saddam should not have invaded Kuwait in 1991 but he really should not have seized a part of Saudi Arabia in 1991 - once he did that the USA had carte blanche to do what it will with Iraq.
Afghanistan attacked the United States, repeatedly.
They also have bases in Saudi Arabia, Turkey and Kyrgyzstan and are propping up the regime in Pakistan.
There are no US bases in Saudi Arabia.
Turkey is a NATO ally as they have a huge Russia problem and have had one for well, 500 years. Kyrgystan we've bought off fair and square, but alas, they also have a Russia problem.
Pakistan just held elections, and threw Musharraf out, so maybe you should check the news.
If someone fucked with my country that much, I'd be trying to kill the ..... too.
See, there are people, liberals ARE backstabbing the USA on the war and on the economy...and they've been successful enough to create this coup they are headed for in November. It's just like how the socialists caused Germany to lose World War I. When you read stuff like that, its really actually not too paranoid to think that the economic crisis and military shortfalls of the USA were deliberately engineered by the left wing solely to attain power.
This is my sig.
Another lovely phrase lost in translation. Ayatollah Khomeini labeled the US the great 'Shaitan', referring to a particular manifestation of the Devil: the Tempter.
You know what, that's a bunch of BS. The Iranian leadership isn't stupid and never has been. The fact of the matter is that they throw out incendiary stuff all the time and then blame it on the translation. I would think that after 30 years of this crap they would hire someone who can actually translate. But, its not.
I mean, I think that, Great Satan is pretty much what they meant, burning US flags and all.
What I'm saying is, the moment Iran drops the bomb outside of its soil, kill them all.
This is my sig.
I have literally had insiders tell me that security is not even on the table in considering what needs to be done to implement ePedigree. They are concentrating on things like cost of RFID tags, speeds of readers, databases, etc.
While these are indeed valid considerations, I have pointed out on numerous occasions that they are dealing with a huge criminal force who have armed themselves with some very good hackers and who can easily afford to pay these same hackers to break the ePedigree systems. I have shown them how easily some of the RFID tags they have chosen can be cloned, and pointed out several weaknesses along the entire chain, and they simply stare at me with blank looks on their faces and tell me that they are sure their IT department will deal with the security issues if any should come up.
The sad reality is that the ePedigree is mandated by the government, and there is no security requirement, so they are simply looking to implement this very costly system at a bare minimum. What they do not know (and perhaps do not care to know) is that the weak security in the implementation will actually create a worse situation than currently exists for these companies, will actually make it EASIER for counterfeiters to get their products into the market, and will create new subversive business models.
Security exploitations are driven by motivation. Some are motivated by curiosity, some by vindictiveness, and others by greed. Greed is perhaps the biggest motivator of all.
Hopefully I will not have to deliver the "I told you so."
A Scotsman is someone who is born or lives in Scotland. If you're a Scotsman, the only way to NOT be a Scotsman is to emmigrate, and even then it can be argued you are still a Scotsman. A TRUE Scotsman. To argue that someone born in Scotland and lives in Scotland is not a "true" Scotsman is a fallacy. It's like some right winger saying "A REAL American would not argue that we should be in Iraq". It is a fllacy.
Being a Christian is a choice, more like being a Democrat. It is not the same.
Free Martian Whores!
The point is that you do not get to decide whether someone else is a Christian any more than you get to decide whether they are a Scotsman, they get to decide if they are a Christian. Even imperfect Christians are still Christians, aren't they?
Chernobyl 'not a wildlife haven' - BBC News
Well that's the thing, Christians ren't perfect, they're saved. But if you see a guy kneeling before a golden calf you can be pretty sure he's not a Christian, no matter what he says.
A lot of people go to church to be seen by others and be percieved as Christains by other people, even though they don't really believe in God.
"You cannot serve both God and mammon" but how many people claim to be Christians while worshiping money? If I see someone deliberately harming another person you're going to have a hard time convincing me he's a Christian.
Free Martian Whores!
Comment removed based on user account deletion
Another lovely phrase lost in translation. Ayatollah Khomeini labeled the US the great 'Shaitan', referring to a particular manifestation of the Devil: the Tempter.
Specifically, he meant that US culture was tempting the people of Iran into decadence and materialism. That's evil, to be sure, but not generically Evil.
I wouldn't be so quick to down-grade the meaning of the phrase. Your explanation makes it all sound like a mere difference in opinion. The label has a lot more power than that.
We're not just talking about culture. It was definitely a reference to US geopolitical involvement in the region as well. Anyone who disagrees with US policy is quick to label such involvement as meddling.
Although I think you do make a very important point; culture is the subtle issue. US influence goes beyond oil companies and military presence. It is also Baywatch. And in some eyes, that is just as much an affront as anything else that comes out of the United States.
I would also note - Satan is Satan under any other name. The mythology is the same. I don't know enough about Iranian culture to understand any subtle differences in how the mythos impacts the culture. But I would imagine it isn't all that different than how it impacts US culture. Both view the myth as a derogatory figure; one that is, ultimately, evil. I see little difference between the rhetoric of the US and Iran.
I find myself both agreeing and disagreeing. And it seems the pivotal reason is the man who delivered the speech. If it had come from a leader that inspired more trust, who didn't portray overly simplistic views, who didn't present an uncomfortable stubborn disregard for fact... I would also find myself generally supporting the concept of an "Axis of Evil." It certainly fits the behavior of those named. But I do agree that it is much too blunt and unwieldy a political weapon to be brandished about by the likes of this Administration.
If someone fucked with my country that much, I'd be trying to kill the fuckers too.
There are two groups fucking with your country that much. They are Republicans and Democrats. I say you and me let's get started killing the fuckers.
My Freakin Blog
The Republicans and Democrats are fucking with the UK a little bit, but not nearly enough to make me want to kill the fuckers.
Chernobyl 'not a wildlife haven' - BBC News
Haha, USA bias FTL. My bad. I'll have to find one of my countrymen to kill the fuckers then.
My Freakin Blog
Iran? Is that the country that the CIA lead an organized coup which toppled the secular democratically elected government in the 70's?
No, the CIA did that in the 1950s, you know, half a century ago. So, should we still hate the Germans for World War II? The Iranian coup was only a couple of years after that?
This is my sig.
I would say that's not the point at all. The "no true Scotsman" fallacy isn't really a distinct fallacy, its either a case of circular argument or equivocation. If there is an agreed upon definition of "Scotsman" that applies to the given discussion, its perfectly legitimate to point out that an trait asserted to be associated with at least some Scotsmen is, in fact, inconsistent with that definition and thus, no true Scotsman has that feature.
Where it becomes problematic is:
1) Where no such definition exists, and the proposition being debated is precisely whether or not the trait involved is a trait of at least some "Scotsmen". In this case, its something of a circular argument, but it also can reveal that a fundamental problem in the discussion is the ambiguous definition of terms.
2) Where such a definition does exist (or at least, where a different definition of "Scotsman" is being used in the discussion), but the definition which excludes the trait from any "true Scotsman" is a different definition of Scotsmen. In this case, the fallacy is one of equivocation.
The principle problem that usually arises with "no true Scotsman" style arguments is where the person using them is making an argument that is trivially true for some definition of "Scotsman", but where the real interest in the discussion is in a different definition (or where, simply, the difference in definitions isn't that one is the "more interesting" one for the discussion, but instead just reveals that the participants are talking past each other about two or more completely different things.) It is not that one definition is necessarily objectively correct; there are many different, legitimate definitions of many terms ("Christian", for instance, can usefully defined by self-identification, by adherence to particular belief sets, or by participation in particular groups, and for each of those there are places where those are interesting and useful definitions), the key is that in a discussion, to be productive, people have to be applying the same definitions to the same terms.
I have great respect for Schneier as a computer security expert. Applied Cryptography was wonderful. But Schneier errs in thinking that physical security is the same thing as cyber security, and that his computer/crypto expertise somehow extends to the physical world.
A lot of geeks share Schneier's fallacy. And since geeks tend to be a lot smarter than the folks in charge of real-world security, the tendency to false superiority is magnified. But intelligence is not the whole story. There is also experience and instinct.
Some of the key differences:
If Schneier (or any computer geek) were in charge of airport security, I'm pretty sure we would have had another terrorist incident since 9/11.
I think the reviewer accidentally typed in the wrong word. Instead of saying that the balance of powers and checks and balances etc violate the unwritten rule that government power should be limited, he meant to say that these features of the Constitution *validate* the unwritten rule ... (or 'give expression to', or 'implement' or 'serve' - but I try to think of a word looking a bit like 'violate' to figure out how he got to it)
The 10th amendment reserves power to the states or the people, but does not necessarily limit government (since the states have governments too!)
Perhaps they typed a "braino".
The 10th Amendment does limit government, by referencing the set of powers not assigned to either the United States, or to the several states, which are assigned to the people. There is no other category. It also carves out the niche for states' powers, by establishing the basis for explicit Federal limits to them, but again only as explicit. That brief formulation makes clear that the Federal government's powers, even when powers over the states, exist only where explicit. That is an express basis of inherently limited government. As opposed to inherently unlimited government that would be limited by law, which was the model for governments (eg. unlimited monarchies reined in by laws) previously.
FWIW, the Constitution is scoped to only the Federal government, so its omission of limits on state governments is no indication of any lack of inherent limitation of "government" that might be exercised in a state. Your observation does indeed indicate, though, that states are not necessarily bound to the inherently limited government model. The Constitution does not say that a state cannot have a monarch. However, each state's constitution does mirror the Federal Constitution's formulas, AFAIK. But I suppose that if, say, Texas amended its constitution to produce a hereditary dynasty of "Bushes" who function as divine emperor, we'd have a really big, but legal, problem on our hands.
--
make install -not war