Crypto-Gram Tenth Anniversary Issue
Ten years ago I started Crypto-Gram. It was a monthly newsletter written entirely by me. No guest columns. No advertising. Nothing but me writing about security, published the 15th of the month every month. Now, 120 issues later, none of that has changed.
I started Crypto-Gram because I had a lot to say about security, and book-length commentaries were too slow and too infrequent. Sure, I was writing the occasional column in the occasional magazine, but those were also too slow and infrequent. Crypto-Gram was supposed to be my personal voice on security, sent directly to those who wanted to read it.
I originally thought about charging for Crypto-Gram. I knew of several newsletters that funded themselves through subscription fees, and figured that a couple of hundred subscribers at $150 or so would sustain itself very nicely. I don’t remember why I decided not to — did someone convince me, or did I figure it out myself — but it was easily the smartest decision I made about this newsletter. If I’d charged money for the thing, no one would have read it. Since I didn’t, lots of people subscribed.
There were 457 subscribers by the end of the first day. After that, circulation climbed slowly and steadily. Here are the totals for May of each year:
Those numbers hide a lot of readers, like the tens of thousands that read Crypto-Gram via the Web. I also know of people that forward my newsletter to hundreds of others. There are many foreign translations that have their own subscription list. These days I estimate that I have about 25,000 newsletter readers not included in those numbers.
I have no idea where the initial batch of subscribers came from. Nor do I remember how people subscribed before the webpage form was done. I do remember my first big burst of subscribers, though. It was following my special issue after 9/11. I wrote something short for the September issue, but I found that I couldn’t stop writing. Two weeks later, I published a special issue on the terrorist attacks. Readers forwarded that issue again and again, and I ended up with many new subscribers as a result.
Reader comments began earlier, in December 1998. I found I was getting some really intelligent comments from my readers — especially those that disagreed with me — and I wanted to publish some of them. Some of the disagreements were nasty. In October 1998, I started a column called “The Doghouse,” where I made fun of snake-oil security products. Some of the companies didn’t like being so characterized, and sent me threatening legal letters.
Turns out that publishing those sorts of threats as letters to Crypto-Gram was the best defense, even though my lawyers always discouraged it. None of these incidents ever went past the threatening stage, even though court papers were occasionally filed.
Over the years, Crypto-Gram’s focus has changed. Initially, it was all cryptography. Then, more computer and network security. Then — especially after 9/11 — more general security: terrorism, airplanes, ID cards, voting machines, and so on. And now, more economics and psychology of security. My career has been a progression from the specific to the general, and Crypto-Gram has generalized to reflect that.
The next big change to Crypto-Gram came in October 2004. I had been reading about blogging, and wondered for several months if switching Crypto-Gram over to blog format was a good idea or not. Again, it was about speed and frequency. I found that others were commenting on security stories faster, and that by the time Crypto-Gram would come out, people had already linked to other stories. A blog would allow me to get my commentary out even faster, and to be part of the initial discussions.
I went back and forth. Several people advised me to change, that blogging was the format of the future. I was skeptical, preferring to push my newsletter into my readers’ mailboxes every month. I sent a survey to 400 of my subscribers — 200 random subscribers and 200 people who had subscribed within the past month — asking. My eventual solution was the second smartest thing I did with this newsletter: to do both.
The Schneier on Security blog started out as Crypto-Gram entries, delivered daily. And the early blog entries looked a lot like Crypto-Gram articles, with links at the end. Over the following months I learned more about the blogging style, and the entries started looking more like blog entries. Now the blog is primary, and on the 15th of every month I take the previous month’s blog entries and reconfigure them into Crypto-Gram format. Even today, most readers prefer to receive Crypto-Gram in their e-mail box every month — even if they also read the blog online.
These days, I like both. I like the immediacy of the blog, and I like the e-mail format of Crypto-Gram. And even after ten years, I still like the writing.
People often ask me where I find the time to do all of that writing. It’s an odd question for me, because it’s what I enjoy doing. I find time at home, on airplanes, in hotel rooms, everywhere. Writing isn’t a chore — okay, maybe sometimes it is — it’s something that relaxes me. I enjoy putting my ideas down in a coherent narrative flow. And there’s nothing that pleases me more than the fact that people read it.
The best fan mail I get from a reader says something like: “You changed the way I think.” That’s what I want to do. I want to change the way you think about security. I want to change the way you think about threats, and risk, and trade-offs, about security products and services, about security rhetoric in politics. It matters less if you agree with me or disagree, only that you’re thinking differently.
Thank you. Thank you on this 10th anniversary issue. Thank you, long-time readers. Thank you, new readers. Thank you for continuing to read what I have to write. This is still a lot of fun — and interesting and thought provoking — for me. I hope it continues to be interesting, thought provoking, and fun for you.