"The closest the security industry has to a rock star.", The Register says. And they are downward right. Bruce's reflections on security and privacy related topics are down to earth, both practical and well-thought, and still (sometimes painfully) true to the present day.
The book "Schneier on Security" by Bruce Schneier is a collection of posts and essays he wrote in various magazines, newsletters and his own blog on schneier.com. They are all relatively short stories, but they hold great value nonetheless. Below is a list of topics I found relevant for myself in his book.
- Terrorism and Intelligence Agencies;
- Liability and Security by Design;
- Privacy and Surveillance;
- Economics and Psychology of Security.
I will cover the topics in more and less detail and highlights the points that I found meaningful or that I have learned or what my reflection on the topics are. Be aware, it is my interpretation of the book by Bruce Schneier. This post therefore may or may not be the same as the opinion of the author. Because there is always a risk of a misinterpretation on my part.
Terrorism and Intelligence AgenciesDespite the fact that I do not condone terrorism or violence in general, there are three questions we need to ask in regard to terrorism and its security.
- How real or present is the threat?
- How can we really decrease the chance or impact of its risk (by increasing security)?
- And how much are we willing to pay (money, freedoms, convenience) for it?
In order to properly address security against terrorism it is important to let go of the fear. Fear clouds our judgements and often leads to wrong decisions. Which can even lead to a decreased security, increased threat, and people feel more secure while in fact they are not. And we as a society often 'help' the cause of terrorists with being more afraid to threats that are likely not worth the countermeasures.
So in order to actually be more secure Bruce says we need to increase targeted-surveillance and investigation, cutting of funding of terrorists and actually find the terrorists themselves instead of guessing were they will attack next. Besides these steps it is very important to improve the way we respond to emergencies and how we can lessen the impact of an attack. And the last, but perhaps the most important, we need to consider our foreign policies and the way they increase or decrease happy feelings towards our Western democracies.
And giving more power and tools to intelligence agencies to collect more data of everyone won't help with increasing security. It will help with creating a government controlled society. But later on that subject.
Liability and Security by DesignBruce talks a lot about voting machines security in this book. They are often ill-proven developed, tested and implemented. When it comes to security of voting machines, it actually comes to security by design for every piece of software. When creating something, start with what can go wrong.
Liability, or the lack of it, is the main reason why software tends to be insecure by default and why security is patched in to it later in its life cycle. Software developed this way is generally more insecure (even with 1,000 security patches) than software developed with security in mind and practice.
Bruce says that software with 100 patches is not more secure than software with 10 patches, but also not less secure. Because software is not developed with security in mind you simply don't know so therefore you have to assume that software is vulnerable. Vulnerable by design actually.
There are allot of practices like OWASP that can help building software that are more secure by design. The main problem here is actually liability. The ones that suffer from poorly designed software are not the ones that can actual influence the development of software. If software developing companies would be (more) liable for insecure products, they would make software more secure. Fundamentally this is about the economics of security (with I will cover later in this post).
So, if we want to have more secure voting machines, more secure operating systems, more secure applications, than we need to change who is liable (within reason of course) for the products that are developed.
Privacy and SurveillanceI mentioned targeted-surveillance in the topic about terrorism and what Bruce says about good security practices. There can be many trade-offs towards increasing security, and decreasing privacy is one of them. Bruce talks about intelligence agencies allot, and I follow his opinion on this matter. These agencies are part of our lives for centuries in the past and centuries to come. They can actually increase our security and therefore they make sense. But the trade-off is changing the past decades due to new technologies and lack of self-control.
Bruce suggests, in case of the National Security Agency (NSA), to split them up in three parts and place them under other current existing agencies. The functions they provide are necessary to counter crime, and foreign threats. In short the split is listed below.
- Domestic targeted surveillance, to be placed under the supervision of the FBI (they are bound to laws that require court orders and such);
- Foreign targeted surveillance, to be placed under the supervision of the CIA (they are bound to laws that require them to work against foreign wrong doing);
- Targeted digital attacks, to be placed under the supervision of the military (attacks, whether digital or not, should always be under the control of the military).
...that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, --That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed...
Economics and Psychology of Security
First released: September 2008