Schneier on Security

brothke writes "There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy. Witness the mammoth growth of airport security products following 9/11, and the sheer number of vendors at security conferences. With that, government officials and corporate executives often think you can simply buy products and magically get instant security by flipping on the switch. The reality is that security is not something you can buy; it is something you must get." Keep reading for the rest of Ben's review. Schneier on Security author Bruce Schneier pages 336 publisher Wiley rating 10 reviewer Ben Rothke ISBN 978-0470395356 summary The best articles from one of security's best Perhaps no one in the world gets security like author Bruce Schneier does. Schneier is a person who I am proud to have as a colleague [Schneier and I are both employed by the same parent company, but work in different divisions, in different parts of the country]. Schneier on Security is a collection of the best articles that Bruce has written from June 2002 to June 2008, mainly from his Crypto-Gram Newsletter, his blog, and other newspapers and magazine. The book is divided into 12 sections, covering nearly the entire range of security issues from terrorism, aviation, elections, economics, psychology, the business of security and much more.

Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.

The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.

Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.

Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.

Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.

Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.

In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.

In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.

A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?

Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.

Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Afterword

[mcgrew]

Two things:

First, Van Gogh painted Bruce Schneier's portrait over a hundred years ago.

Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.

Secondly, I want to point to an afterward to Cory Doctorow's Little Brother. Bruce Schneier writes:

It's how security people think. We're constantly looking at security systems and how to get around them; we can't help it.

This kind of thinking is important no matter what side of security you're on. If you've been hired to build a shoplift-proof store, you'd better know how to shoplift. If you're designing a camera system that detects individual gaits, you'd better plan for people putting rocks in their shoes. Because if you don't, you're not going to design anything good.

So when you're wandering through your day, take a moment to look at the security systems around you. Look at the cameras in the stores you shop at. (Do they prevent crime, or just move it next door?) See how a restaurant operates. (If you pay after you eat, why don't more people just leave without paying?) Pay attention at airport security. (How could you get a weapon onto an airplane?) Watch what the teller does at a bank. (Bank security is designed to prevent tellers from stealing just as much as it is to prevent you from stealing.) Stare at an anthill. (Insects are all about security.) Read the Constitution, and notice all the ways it provides people with security against government. Look at traffic lights and door locks and all the security systems on television and in the movies. Figure out how they work, what threats they protect against and what threats they don't, how they fail, and how they can be exploited.

Spend enough time doing this, and you'll find yourself thinking differently about the world. You'll start noticing that many of the security systems out there don't actually do what they claim to, and that much of our national security is a waste of money. You'll understand privacy as essential to security, not in opposition. You'll stop worrying about things other people worry about, and start worrying about things other people don't even think about.

Sometimes you'll notice something about security that no one has ever thought about before. And maybe you'll figure out a new way to break a security system.

That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.

Re:Afterword

[Creepy+Crawler]

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

Re:Afterword

[Penguinoflight]

I like the idea of security systems working against their intended purpose. It reminds me of a recent incident at the office/retail complex where I work.

There's a fountain in the middle of a round-about, the intended purpose is to entertain visitors to the resturaunts around it. This fountain had multiple signs worded "Smile, you are being recorded"; a somewhat polite reminder to behave so to speak. Of course, there aren't any places to hide cameras in the nearby buildings, and there are no cameras installed. Someone figured this out, and put soap in the fountain. Now there are no friendly warning signs.

It was surely interesting that the poster of these signs wasn't intelligent enough to figure out that the signs would not deter bad behavior, but did understand after the fact.

Re:Afterword

[gnick]

People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

Sometimes, but I don't think that it's about some smart-person-persecution system. The big problem is that, if somebody points out a security hole, it must be fixed. Even if the hole has been noticed before but was ignored because the odds of exploitation are so remote as to negate the sense in repairing it, once it's been reported it must be addressed - The risk of exploitation is now magnified greatly because of the liability lying on whoever ignores the request - Nobody wants to hear "I told you so" after a security incident. So, if the weakness is ludicrously expensive to fix and very minor, you are correct that it will probably annoy whoever you point it out to. It's not that they don't like you because you're smart, it's because they may have to do something silly or possibly face the consequences of exposed inaction.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

That's kind of messed up. Maybe you've worked in some really dysfunctional places, but just throwing in the towel is doing a disservice to everyone involved. Just be sure you do a critical assessment of what you're suggesting before voicing it formally so that you can be sure that you're really improving things instead of making them worse. Otherwise, like Schneier points out, everyone winds up removing their shoes and throwing away their shampoo as a reaction to a couple of very remote threats.

Of course, there are obvious exceptions.

Re:Afterword

[cvd6262]

Amen.

I recently relocated to a rather rural area and I've met a lot of... shall we call them "simple" people. They look like country bumpkins, and many rarely leave the area, but several have surprised me with their insights.

One was an older man who worked construction his whole life. He once flew out to see his son's family in another state. While waiting to board his return flight he was sitting facing the key-pad door that led to the tarmac. He heard one person type "Beep... Beep... Beep... Bip-bip-bip." Then another. He realized that the six-digit code was three different numbers, followed by three identical numbers.

So he watched. After fifteen minutes he got the code. It was something like "264000." He wrote it on his boarding pass. When we handed the pass to the attendant at the gate she asked, "Sir, do you need this number?" He responded, "No, I don't need the code to your locked door over there." And then he boarded the plane.

A few minutes later two airport police officers came on the plane and asked him if he'd mind answering a few questions. He missed his flight (though they took mercy on him and put him on a later flight) while he was read the riot act. At no point did anyone thank him, nor did it seem that they were willing to find fault with their system or people who let out their ubersecret code.

He was wrong for hearing the code. He was wrong for watching the employees type the code.

Re:Afterword

[moderatorrater]

No, it's better to simply accept the occasional teenager who "beats the system." Oftentimes the best "security" is just social norms.

I would highlight this with another example. My friends and I would often go to a particular restaurant to eat. This restaurant serves popcorn to eat while waiting for the meal and they have some relatively cheap appetizers. We'd order one small appetizer and fill up on popcorn. To some people, looking from the outside, this would look like "gaming the system", where we take something intended to help paying customers and use it without paying.

However, today, not a month goes by when I don't eat there with at least a group of 6 people, and my wife and I go there all the time. Had a manager or waitress been a hardass and kicked us out, my friends and I certainly wouldn't be eating there on a regular basis today. Sometimes it's better to accept the short term loss if it builds customer loyalty.

Re:Afterword

[initialE]

Specifically, they were trying to turn their problem - which was a lack of awareness that they were being observed keying in the number, into his problem, which is being a busybody. One is a disciplinary offense, the other is just bullshit. But if they can make everyone feel that he has done something heinously wrong (and consequently that they have done nothing wrong themselves), they can hide the severity of their own errors in a shroud of fud. Which matters when evaluation time comes around and you're looking forward to that bonus. Nobody cares, you see, that it is instilling into people the apathy that could allow another 9/11 to happen, they're looking at goals closer to home.

Security can be bought

[davidwr]

The price is usually money, time, emotional energy, study, and perhaps reduced functionality.

Then again, that's probably the point of the book.

Re:Security can be bought

[Znork]

Whether it can be bought or not is perhaps besides the point.

Because it can certainly be sold.

Question

[Amazing+Quantum+Man]

If Chuck Norris tried to break Bruce Schneier's security, what would happen?

Dealing with symptoms

Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.

I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.

Terrorism is the result of very desperate people who have lost all hope and feel powerless. The Middle East and its people have been shit on for a couple of millennia; whether by western powers, other in the Middle East (Persians and Turks), Asians. These are people who have felt shit on by the World and there's nothing they can do about it. The creation of Israel was the straw that broke the camels back - so to speak.

To make a long story short, if we gave autonomy to the Middle east (Oil supplies be damned!), meaning pull out completely. I think terrorism would stop or at the very least, decrease dramatically.

I also disagree with folks who think that if we were to leave the Middle East, others would gain control of the Oil thereby sending us into a depression or putting our military and defense in jeopardy. It won't happen.

Bruce Schneier doesn't write books.

[Timosch]

He simply decrypts the truth.

Re:Security

[FooGoo]

It's called transferring risk. The risk still exists but I pay someone else to mitigate it. There are some risks that a company may not be in a position to address themselves. Either due to conditions in the market place, lack of expertise, or excessive regulatory requirements.

Educating users is probabaly the easiest and cheapest way to reduce risk. It doesn't cost a lot of money or take a lot of time. The problem is most companies just don't do it. You might be looking at a cost of $100 per employee per year and 30 minutes to an hour to take a class.

Most companies mention it during orientation but never provide on-going training or support to their employees when it comes to security issues. In this case the infosec team needs to get out of their cubes and walk around and talk to people to be sure they can advise fellow employees on security risks and get the lowdown on which manager proposed something stupid this week. 90% of the security teams job should be education be it educating developers, system admins, general counsel, marketing, exec admins, or the board of directors.

Re:Security Isn't Important

[burris]

Maybe in the military or in geek super spook krad fantasy land. In the real world of business there is little to no impact to a business as a whole over any security breaches. The public record is replete with examples of businesses who seriously dropped the security ball but the effect was about as dramatic as a bug getting squished on the corporate windshield. Sure there's some goo to wipe off but the car doesn't slow down.

Microsoft, Netscape, credit card processors, insurance companies, civil administrations, many companies have slacked in their security but the worst that happened was a few negative articles in the press that were soon forgotten.

Find just one company that was shut down or went out of business because of a security breach. You just can't do it. Execs rarely even get fired over this stuff.

That's why businesses continue to have poor security. It's just not worth it. You just have to manage it, like everything else.