Saturday, February 21, 2015

Book review: Schneier on Security, by Bruce Schneier

"The closest the security industry has to a rock star.", The Register says. And they are downward right. Bruce's reflections on security and privacy related topics are down to earth, both practical and well-thought, and still (sometimes painfully) true to the present day.

The book "Schneier on Security" by Bruce Schneier is a collection of posts and essays he wrote in various magazines, newsletters and his own blog on They are all relatively short stories, but they hold great value nonetheless. Below is a list of topics I found relevant for myself in his book.
  • Terrorism and Intelligence Agencies;
  • Liability and Security by Design;
  • Privacy and Surveillance;
  • Economics and Psychology of Security.
The topics are covered in twelve chapters in his book, including an extensive list of references. And whatever the case, Bruce says that security is always a trade-off. And I am totally agreeing with him here. Security is not absolute and living your life is risky by design. But when building in security in your live, technology or otherwise, it always has a cost. And people should weigh those costs against the real benefits of security, not just the feelings that entails it.

I will cover the topics in more and less detail and highlights the points that I found meaningful or that I have learned or what my reflection on the topics are. Be aware, it is my interpretation of the book by Bruce Schneier. This post therefore may or may not be the same as the opinion of the author. Because there is always a risk of a misinterpretation on my part.

Terrorism and Intelligence Agencies

Despite the fact that I do not condone terrorism or violence in general, there are three questions we need to ask in regard to terrorism and its security.
  1. How real or present is the threat?
  2. How can we really decrease the chance or impact of its risk (by increasing security)?
  3. And how much are we willing to pay (money, freedoms, convenience) for it?
There is allot of debate going on to these days about the reality of terrorism. It is often the sole reason that government agencies get more power. More power to counter terrorism. Often that increase of that power leads to feeling more secure, but more seldomly to an actual increase of security.

In order to properly address security against terrorism it is important to let go of the fear. Fear clouds our judgements and often leads to wrong decisions. Which can even lead to a decreased security, increased threat, and people feel more secure while in fact they are not. And we as a society often 'help' the cause of terrorists with being more afraid to threats that are likely not worth the countermeasures.

So in order to actually be more secure Bruce says we need to increase targeted-surveillance and investigation, cutting of funding of terrorists and actually find the terrorists themselves instead of guessing were they will attack next. Besides these steps it is very important to improve the way we respond to emergencies and how we can lessen the impact of an attack. And the last, but perhaps the most important, we need to consider our foreign policies and the way they increase or decrease happy feelings towards our Western democracies.

And giving more power and tools to intelligence agencies to collect more data of everyone won't help with increasing security. It will help with creating a government controlled society. But later on that subject.

Liability and Security by Design

Bruce talks a lot about voting machines security in this book. They are often ill-proven developed, tested and implemented. When it comes to security of voting machines, it actually comes to security by design for every piece of software. When creating something, start with what can go wrong.

Liability, or the lack of it, is the main reason why software tends to be insecure by default and why security is patched in to it later in its life cycle. Software developed this way is generally more insecure (even with 1,000 security patches) than software developed with security in mind and practice.

Bruce says that software with 100 patches is not more secure than software with 10 patches, but also not less secure. Because software is not developed with security in mind you simply don't know so therefore you have to assume that software is vulnerable. Vulnerable by design actually.

There are allot of practices like OWASP that can help building software that are more secure by design. The main problem here is actually liability. The ones that suffer from poorly designed software are not the ones that can actual influence the development of software. If software developing companies would be (more) liable for insecure products, they would make software more secure. Fundamentally this is about the economics of security (with I will cover later in this post).

So, if we want to have more secure voting machines, more secure operating systems, more secure applications, than we need to change who is liable (within reason of course) for the products that are developed.

Privacy and Surveillance

I mentioned targeted-surveillance in the topic about terrorism and what Bruce says about good security practices. There can be many trade-offs towards increasing security, and decreasing privacy is one of them. Bruce talks about intelligence agencies allot, and I follow his opinion on this matter. These agencies are part of our lives for centuries in the past and centuries to come. They can actually increase our security and therefore they make sense. But the trade-off is changing the past decades due to new technologies and lack of self-control.

Bruce suggests, in case of the National Security Agency (NSA), to split them up in three parts and place them under other current existing agencies. The functions they provide are necessary to counter crime, and foreign threats. In short the split is listed below.
  • Domestic targeted surveillance, to be placed under the supervision of the FBI (they are bound to laws that require court orders and such);
  • Foreign targeted surveillance, to be placed under the supervision of the CIA (they are bound to laws that require them to work against foreign wrong doing);
  • Targeted digital attacks, to be placed under the supervision of the military (attacks, whether digital or not, should always be under the control of the military).
And we should stop with mass-surveillance altogether. Mass-surveillance does not increase our security. It does increase costs of IT associated with it and it does decrease privacy of all civilians both domestic and foreign (this is the trade-off!). It is criminalizing all people, it impacts our privacy, how we think and act, and ultimately it impacts our democracy and freedoms.

Let me quote a paragraph from the Declaration of Independence of the founding fathers of the United States of America written on July the 4th, 1776 AD.
...that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, --That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed...
Let us remind ourselves by the words of these wise men that all men are created equally, all men have the same human rights, all men should live in freedom and no man, woman or child should be the victim of any government that undermines those principles.

Economics and Psychology of Security

The last topic I want to address is that of the economics and psychology of security. They are linked together and Bruce rightfully addresses them.

The economy side of security is that often security fails due to the wrong economic incentives. The people who could provide security, are not the ones that suffer from the negative impact of insecurity. This is the liability part I covered earlier in this post. In short, when we can shift the dynamics of this we will see better economic decisions in regard to security.

The psychology side of security is important also. Bruce focuses on two subjects here. The first is the difference between feeling secure and being secure and the second is risk seeking versus risk avoiding decision making.

An important factor in a security product is the fact that you are actually secure. Really secure products tend to be costlier than less-secure products (due to longer development or testing times). But when we feel equally secure to both products, we will choose the cheaper one. Even though it is actually less secure. It is important for businesses, actually everyone, to consider this dynamic of our subconscious mind. When choosing between security products we need to make decisions based on data.

And this is the part where we have another tripwire. Bruce says, based on many studies done by others, that we tend to be risk-seeking when we have something to lose and that we tend to be risk-avoiding when we have something to gain.

It all comes down to this. When a security professional advices a board of directors to implement security product xyz to prevent a potential loss of $ 1,500,000 somewhere between now and 5 years he has a difficult job. Especially when the security product will cost $ 500,000 in the next 5 years. The board will likely take the risk, otherwise they will be guaranteed lose the $ 500,000 dollars.

But when a business has something to gain, they tend to be risk-averse. When a business can make a decision to gain $ 500.000 now or the likelihood of gaining nothing or $ 1,500,000 dollars in the next 5 years, the business will likely not take the risk and settle for the $ 500,000 dollars right now.

And as security is inherently a fear-sell, as Bruce states in various online seminars, this probably won't change and decision makers will have to try to base their decisions solely on data.


I think it is a very nice book and definitely worth the read. Although everything was written between 2002 and 2008 it still holds value today. My advice, buy it, read it and draw your own conclusions.

You won't regret it!

First released: September 2008
Pages: 336
ISBN: 978-0-470-39535-4



Post a Comment