22 Oct 2008 14:22
It's easy to forget, with the headlines consumed by proposals to nationalise the banks, that also on the government's table are plans to store all the nation's communications data in a giant shed and roll out ID cards and several comprehensive citizen-tracking databases. The only good thing to be said for the financial crisis is that it may soak up the resources to pay for all this increased surveillance.
Not because terrorism isn't a genuine threat: of course it is. But — as Schneier repeatedly highlights — surveillance and data mining won't stop terrorists, although they will invade the privacy of ordinary citizens; airport security is 'security theater' designed more for show than for effect; and the two most effective measures taken since 9/11 are reinforcing cockpit doors and teaching passengers that passive acquiescence is no longer the right way to behave when a plane is hijacked. Those two changes cost hardly anything. The edifice that's been built in the name of security and the Iraq war have cost billions. Is this, Schneier asks, the best way we could have spent our money?
Any collection of columns is bound to have a good bit of repetition, and this one is no exception. The most frequently repeated phrase: 'security is a trade-off' (he helpfully counted them for me: 14 — 'I suppose it's my mantra').
Schneier has chosen to group his columns by topic. The 12 chapters contain varying numbers of pieces, none of them ordered chronologically. So in the election security chapter you jump from 2006 to 2003 and back to 2006 again. If you want to find a thread that follows the development of voting technology and its problems in the wake of the 2000 election, you must do it in your head.
Other broad topics include terrorism, ID cards, disasters, psychology, cybercrime and cyberwar, and the economics of security. Airline travel gets its own chapter — it's a particular obsession for anyone who travels regularly. Privacy and surveillance get both a chapter and another of Schneier's repeated aphorisms — that the face-off isn't, as commonly represented, between privacy and security but between liberty and control.
If there's a complaint to make about this book, it's that — other than a relatively brief introduction summarising the main themes — there's no new material. For those who don't subscribe to Schneier's free Crypto-Gram newsletter or chase from Wired News to The Guardian reading all his output, it's certainly convenient to have it all collected in one place. But books of columns are always improved by additional commentary outlining reader reactions, or explaining how the author's views may have changed or been enhanced in the light of subsequent events.
ZDNet talks to Bruce Schneier
Bruce Schneier first came to public attention in 1993, when he created the encryption algorithm Blowfish, which is still, impressively, in use after much expert examination. In 1999, he founded the managed security solutions company Counterpane, which was bought by BT in 2006. Meanwhile, he wrote books, breaking out with Applied Cryptography (1993, 2nd edition 1996), which is still probably the best-known textbook in the field.
It was, he says now, 'the right book at the right time. There was no other book out there. I was able to ride the internet wave'. And, of course, the mid-1990s wave of passionate activism surrounding cryptography — until then a controlled, military technology.
Schneier branched out, first into more general computer security with Secrets and Lies (2000) and and then into broader security policy with Beyond Fear (2003). He also publishes the free monthly email newsletter Crypto-Gram, which he says has 150,000 subscribers. About 100,000 people read his daily blog, and many more read his words through other blogs and media stories. He is doubtless one of the few people who could make money from advertising on his personal site, but he doesn't bother. 'I already have a day job' (as BT's Chief Security Technology Officer), he says, adding wryly, 'and no reader has ever asked for me to include advertising.'
Secrets and Lies aimed to teach businesses how to cope with security in the digital age; Beyond Fear promoted practical security rather than the fear-driven kind that has become pervasive since 9/11. In the new book he talks about the cost of that security.
'No country has infinite resources,' he says, 'and we need to be smart about how we spend ours. I see this over and over again in security: people comparing the benefits of various security measures without looking at the costs.'
People who write books that, like Applied Cryptography, explain the inner workings of one or more aspects of security, often get asked if they aren't helping the bad guys by doing so. Schneier, however, has a different worry; that a little knowledge is a dangerous thing.
'I've often said that my book Applied Cryptography has done more damage to computer security than anything else ever written', he says. 'The problem is that people read my book and think they know how to design cryptography. Of course, they don't — this stuff is really hard — and they design something insecure. Even worse, they're convinced it is secure.' His way of shouldering that responsibility: writing Practical Cryptography (2003), in which, he says, 'I tried to be much more focused and prescriptive; I wanted readers to understand the context of cryptography better, instead of just all the cool things you could do with it.'
Being good at security requires a certain kind of mind — the kind that automatically scopes out a method of shoplifting whenever its owner walks into a store.
'I've done it ever since I can remember,' he says: 'wandering around stores as a child, going into a voting booth with my mother. Whenever I saw a system, I wanted to figure out how I could break it. I've often said that ethics is the only thing that separates a good security professional from a good criminal.'
Story URL: http://reviews.zdnet.co.uk/software/productivity/0,1000001108,39525471,00.htm
Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.