Crypto-Gram

Seven years ago I started writing a monthly newsletter on security. Today, Crypto-Gram has over 120,000 readers, and is still growing.

If you read this blog every day, you don't need to subscribe to Crypto-Gram. Everything in Crypto-Gram appears first in this blog. But I often update the longer essays, based on new information and reader comments, before including them in Crypto-Gram. The blog is more timely, but Crypto-Gram is more polished.

Some of you might prefer to read my writing in a monthly digest rather than in bits and pieces. Some of you might prefer an email that comes to you, rather than having to remember to check this blog. If so, try Crypto-Gram.

Crypto-Gram comes out on the 15th of every month. You can read the current issue (it came out today) here. You can read back issues here.

And if you want to subscribe to the monthly email -- I promise no marketing e-mail ever -- here.

Posted on May 15, 2005 at 3:01 PM • 22 Comments

Comments

ArikMay 15, 2005 4:21 PM

I was a crypto-gram subscriber, but now I'm subscribed to your RSS feed. I use the crypto-gram archives when I want to point someone to an article.

The added value - for me - is not timelyness but rather users' comments. It seems like you have gathered an intelligent crowd, and it's fun to read and participate - it's an interactive medium.

-- Arik

ChrisMay 15, 2005 4:53 PM

Why did "y" feel the need to post such a senseless massage!

I listened to the IT Conversations podcast you recorded. In it you commented that you were not a psychologist. Sometimes in my day to day goings I wish I understood the human mind better - then I might understand what motivates people to break things just for the sake of it. I never cease to be amazed at the cynicism and bitterness of people who often have such a lot of chances compared to 95% of the world. Cracking for a feeling of superiority I can fathom, senseless destruction confuses me.

Maybe then I might also understand why "y" feels the need to leave his dollop of worldly wisdom on our front lawn. Such perception. Give any cynic enough time for his predictions to come to fruition and he will nearly always be proved right. However, by the time he discovers proof, everybody who might have cared has moved on long ago.

Personally, I would rather thank the site author for his efforts and tell him I genuinely look forward to his writings.

Bruce SchneierMay 15, 2005 6:02 PM

"Everybody promises 'no marketing e-mail ever.'"

I understand y's cynicism. Companies fail to follow their own privacy policies again and again. But I like to think I have more personal integrity than the average company. Crypto-Gram has been published since 1998. In that time nothing has ever gone out on the list except the newsletter itself, and I think one or two administrative messages. So you can make your determination by future policy or past history.

The list of addresses has also never been sold or given to a third party for spam, or for any purpose. I have even refused to give the list to Counterpane. (They only asked once.) I don't even have access to the list, and the listowner who does wouldn't give it to me if I asked.

As a point of possible interest, there's a related story at http://www.schneier.com/crypto-gram-0305.html#6 about what was really happening when one user thought I divulged his address to a spammer.

I'm sure this isn't good enough for everyone, which is why Crypto-Gram is also available on the web.

Saar DrimerMay 15, 2005 6:15 PM

Bruce,
I got this month's newsletter 3 times today. this never happened before. maybe you could check why. no big deal, though.

Bob KillingsworthMay 15, 2005 6:30 PM

You wrote, "If you read this blog every day, you don't need to subscribe to Crypto-Gram."

The *editor-selected* user comments add substantial value to Crypto-Gram. I hope you'll keep doing both.

Dave HullMay 15, 2005 6:34 PM

I also rec'd this month's Cryptogram three times and though I don't normally check the blog, I came here to find out why. Ah well, computers fail us sometimes.

Bruce SchneierMay 15, 2005 6:35 PM

"I got this month's newsletter 3 times today. this never happened before. maybe you could check why. no big deal, though."

We know why it happened. It was a mixup with our new mailing list software. It won't happen again.

(Although I am really pissed that it happened once.)

Bruce SchneierMay 15, 2005 6:36 PM

"You wrote, 'If you read this blog every day, you don't need to subscribe to Crypto-Gram.' The *editor-selected* user comments add substantial value to Crypto-Gram. I hope you'll keep doing both."

That's a good point. The lettercolumn in Crypto-Gram is not in the blog. That's because those are email comments to Crypto-Gram, not selected comments from the blog.

Crypto-Gram has about 10x the readers that the blog does, so most of the comments are from Crypto-Gram.

michaelMay 15, 2005 6:44 PM

it would've been funny if you had posted _that_ response 3 times.

JasonMay 15, 2005 7:20 PM

"I got this month's newsletter 3 times today. this never happened before. maybe you could check why. no big deal, though."

Am I special because I only got two? :D

Sam TildersMay 15, 2005 8:03 PM

Bruce,
The new mailing list software seems to be missing a List-Id header (and other common list info headers). Not compulsory, but it was nice having it before:

List-Id: Bruce Schneier <crypto-gram-list.schneier.com>

(Not only did I get the issue three times, but it missed my filters...)

- Sam

Christos EvaggelouMay 15, 2005 9:13 PM

"Today, Crypto-Gram has over 120,000 readers, and is still growing."

Count one more here :)

RichardMay 16, 2005 1:20 AM

The latest issue was rejected by the corporate server in my company. The content exist word patterns related to 'sex' that caused the rejection.

Related to this is I found the mail server in my company, in addition to report the rejection of the email, it comes with the list of receipients in my company that suffers the same problem as well. What a GREAT FEATURE! I wonder if this be a good way to hack the subscription list should other public email server is doing the same thing.

Ari HeikkinenMay 16, 2005 3:00 PM

Everyone promise no marketing, ever. The reality however, is it's really hard to resist temptation when you get something going so well it gets to the point it's very popular (isn't that "Counterpane News" that's integrated in every Crypto-Gram pretty much meant for marketing?).

Anyways, thanks for all the good articles over the years and keep up the good work!

Bruce SchneierMay 16, 2005 5:06 PM

":Everyone promise no marketing, ever. The reality however, is it's really hard to resist temptation when you get something going so well it gets to the point it's very popular (isn't that 'Counterpane News' that's integrated in every Crypto-Gram pretty much meant for marketing?)."

So far, I've managed to resist. And I've made sure that Counterpane resists too.

Yes, the "Countepane News" section is commercial. I've been doing that since 1998. It's clearly marked, and I do my best to keep it small. The Counterpane marketing team is always coming to me with long commercials they want in Crypto-Gram, and I make them put it all on a Counterpane URL -- and then I write a sentence or two pointing to it.

Webmaster, BrooklynMay 16, 2005 9:20 PM

A client of mine who subscribes to your newsletter was worried that his e-mail was down because he received notice that his subscription was cancelled and that it was his e-mail provider's fault. Particularly worrisome to him, I believe, was this paragraph:
------------
DO NOT LET TECHNICAL PEOPLE CONVINCE YOU THAT THIS IS NORMAL. It is never
normal for a mail system to claim that a valid, working account does not
exist, just as it would not be normal for the post office to return some
of your mail with "addressee unknown" when the address was written
correctly. It is true that some mail systems are less reliable than
others, and your technical people may be doing the best they can with the
tools they have. But, ultimately, the level of service that you are
receiving is the result of a business decision, and not something due to
a universal technical limitation that one can only accept. Reliable mail
systems do exist, and it is ultimately up to you to decide whether this
level of service is acceptable or not.
-----------
His e-mail host is GoDaddy. There are no indications of any other disruptions to his service. Most likely, the few comments above this one that speak of malformed headers and spam-like syntaxes generated by your new listserve software are on target, and you should speak with your (new?) list manager post-haste. In addition to the tweaking he needs to do to your headers, he should tweak the language above to something a little more calm, a little more professional, and, in this case, a good deal more humble. - Colin

Bruce SchneierMay 17, 2005 5:19 PM

We heard from another subscriber who had exchanged e-mail with GoDaddy support about this problem, and forwarded the messages to us. They said Crypto-Gram was blocked because it contained links to sites that were either listed in spamhaus.org, or in their own "spammer" database. Since we've only heard about this problem from GoDaddy users, it's probably the latter.

I don't know which of the links in the issue was the problem. I don't think I linked to anything particularly shady. Then again, with 50 or more links in a typical issue, it doesn't take that high a rate of false positives for issues to occasionally be blocked.

GoDaddy also said they were "not able" to whitelist senders, so GoDaddy users have no recourse but to sign up with a different address or to read on the web instead.

I agree the error message from the list is bad and should be changed. On the other hand, I personally wouldn't allow technical people to convince me that a content filter without a whitelist is a normal limitation that I can only accept.

John BreakwellMay 16, 2008 4:58 AM

My Microsoft.com account has just been kicked off the email list: "The last reported error was: 5.7.1 550 5.7.1 - Your e-mail was rejected by an anti-spam content filter on gateway (....). Reasons for rejection may be: obscene language, graphics, or spam-like characteristics. Removing these may let the e-mail through the filter."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..