Crypto-Gram Tenth Anniversary Issue

Ten years ago I started Crypto-Gram. It was a monthly newsletter written entirely by me. No guest columns. No advertising. Nothing but me writing about security, published the 15th of the month every month. Now, 120 issues later, none of that has changed.

I started Crypto-Gram because I had a lot to say about security, and book-length commentaries were too slow and too infrequent. Sure, I was writing the occasional column in the occasional magazine, but those were also too slow and infrequent. Crypto-Gram was supposed to be my personal voice on security, sent directly to those who wanted to read it.

I originally thought about charging for Crypto-Gram. I knew of several newsletters that funded themselves through subscription fees, and figured that a couple of hundred subscribers at $150 or so would sustain itself very nicely. I don't remember why I decided not to -- did someone convince me, or did I figure it out myself -- but it was easily the smartest decision I made about this newsletter. If I'd charged money for the thing, no one would have read it. Since I didn't, lots of people subscribed.

There were 457 subscribers by the end of the first day. After that, circulation climbed slowly and steadily. Here are the totals for May of each year:

199915964
200033827
200145832
200258046
200366368
200475907
200583835
200687839
200792488
200898618

Those numbers hide a lot of readers, like the tens of thousands that read Crypto-Gram via the Web. I also know of people that forward my newsletter to hundreds of others. There are many foreign translations that have their own subscription list. These days I estimate that I have about 25,000 newsletter readers not included in those numbers.

I have no idea where the initial batch of subscribers came from. Nor do I remember how people subscribed before the webpage form was done. I do remember my first big burst of subscribers, though. It was following my special issue after 9/11. I wrote something short for the September issue, but I found that I couldn't stop writing. Two weeks later, I published a special issue on the terrorist attacks. Readers forwarded that issue again and again, and I ended up with many new subscribers as a result.

Reader comments began earlier, in December 1998. I found I was getting some really intelligent comments from my readers -- especially those that disagreed with me -- and I wanted to publish some of them. Some of the disagreements were nasty. In October 1998, I started a column called "The Doghouse," where I made fun of snake-oil security products. Some of the companies didn't like being so characterized, and sent me threatening legal letters.

Turns out that publishing those sorts of threats as letters to Crypto-Gram was the best defense, even though my lawyers always discouraged it. None of these incidents ever went past the threatening stage, even though court papers were occasionally filed.

Over the years, Crypto-Gram's focus has changed. Initially, it was all cryptography. Then, more computer and network security. Then -- especially after 9/11 -- more general security: terrorism, airplanes, ID cards, voting machines, and so on. And now, more economics and psychology of security. My career has been a progression from the specific to the general, and Crypto-Gram has generalized to reflect that.

The next big change to Crypto-Gram came in October 2004. I had been reading about blogging, and wondered for several months if switching Crypto-Gram over to blog format was a good idea or not. Again, it was about speed and frequency. I found that others were commenting on security stories faster, and that by the time Crypto-Gram would come out, people had already linked to other stories. A blog would allow me to get my commentary out even faster, and to be part of the initial discussions.

I went back and forth. Several people advised me to change, that blogging was the format of the future. I was skeptical, preferring to push my newsletter into my readers' mailboxes every month. I sent a survey to 400 of my subscribers -- 200 random subscribers and 200 people who had subscribed within the past month -- asking. My eventual solution was the second smartest thing I did with this newsletter: to do both.

The Schneier on Security blog started out as Crypto-Gram entries, delivered daily. And the early blog entries looked a lot like Crypto-Gram articles, with links at the end. Over the following months I learned more about the blogging style, and the entries started looking more like blog entries. Now the blog is primary, and on the 15th of every month I take the previous month's blog entries and reconfigure them into Crypto-Gram format. Even today, most readers prefer to receive Crypto-Gram in their e-mail box every month -- even if they also read the blog online.

These days, I like both. I like the immediacy of the blog, and I like the e-mail format of Crypto-Gram. And even after ten years, I still like the writing.

People often ask me where I find the time to do all of that writing. It's an odd question for me, because it's what I enjoy doing. I find time at home, on airplanes, in hotel rooms, everywhere. Writing isn't a chore -- okay, maybe sometimes it is -- it's something that relaxes me. I enjoy putting my ideas down in a coherent narrative flow. And there's nothing that pleases me more than the fact that people read it.

The best fan mail I get from a reader says something like: "You changed the way I think." That's what I want to do. I want to change the way you think about security. I want to change the way you think about threats, and risk, and trade-offs, about security products and services, about security rhetoric in politics. It matters less if you agree with me or disagree, only that you're thinking differently.

Thank you. Thank you on this 10th anniversary issue. Thank you, long-time readers. Thank you, new readers. Thank you for continuing to read what I have to write. This is still a lot of fun -- and interesting and thought provoking -- for me. I hope it continues to be interesting, thought provoking, and fun for you.

Posted on May 15, 2008 at 11:13 AM • 48 Comments

Comments

Count0May 15, 2008 11:32 AM

And thank you Bruce for 10 years of lucid discussions on often tricky topics. I don't remember exactly how I found your email news letter, but I am still very happy that I did! Here's to the next 10 years

wiredogMay 15, 2008 11:36 AM

I must've started reading crypto-gram soon after it was on the web, I'm sure I was reading it prior to 2000. But then I'm a programmer who has a copy of Applied Cryptography.

Lewis DonofrioMay 15, 2008 11:54 AM

Bruce,

I am very proud; to be a part of history in the making.

--Here's to the next 50 years!
____________________________________________________________________
Lewis Donofrio Infrastructure Manager 734-355-0592

ScottMay 15, 2008 11:59 AM

I was an occasional reader of your work prior to your 9/11 commentary. Mostly due to friends forwarding me particular articles from cryptogram.

Your 9/11 commentary was what got me to actually subscribe, first to the email version, then to the blog.

I frequently find your writing though provoking, relevant, and interesting.

Thanks Bruce! Don't ever stop :-)

old guyMay 15, 2008 12:09 PM

This is a good way to take a break at work. You enjoy writing, I enjoy the reading. The comments are great, too.

Timmy303May 15, 2008 12:13 PM

Holy crap has it been ten years? Oh man. I feel old. No wait, I AM old. Dang it.

I remember after reading Applied Cryptography twelve years ago how excited I was to find your website, and then how confused I was with all the statistics and mathematics symbology that filled so many of your online papers :-) Cryptogram was a breath of fresh air - security horse sense written the way you would speak at Defcon and the like. I'm glad you do what you do, please continue to do so!

JezMay 15, 2008 12:17 PM

Well done Bruce!! ten years with nearly 100K subscribers..

Been reading since i started my degree in 2000.. finished and now working in the networking industry.. I think yours is the only mail list I read EVERY MONTH!!

Keep up the great work!

e-planitMay 15, 2008 12:20 PM

Thank you Bruce! You've provided many of us a great deal of knowledge, deep insights, and lots of motivation. Beyond the technical, in our world of leadership-via-fear-mongering, you're providing the much-needed voice of reason. Keep it up!

Dave HughesMay 15, 2008 12:23 PM

Congratulations, you're welcome, happy birthday -- and most of all, thank you.

AnonymousMay 15, 2008 12:51 PM

Thank You Bruce for all the years.
While I haven't figured out when I first read Crypto-Gram, I know it was early on. Perhaps from the old Spyking/SF list? Maybe I'll have to dig out my old archives and printouts.
Anyway, you sure help me get onto the path of computers and crypto! Reading your stuff for a few years, I finally took the bait!
Keep up the good work.

jrronimoMay 15, 2008 1:13 PM

Well, I guess this is an appropriate place to start reading the 'gram. :)

AnonymousMay 15, 2008 1:55 PM

Like many, I started out as a subscriber to the e-mail. But being from the younger "blog" generation I remember wishing you had it in blog form. I didn't realize at the time that you had already been doing that :)
When I finally found the blog, it immediately got a place in my "read every day" bookmark folder. Now I even load it in the RSS reader on my blackberry, so I can read wherever I am!
Thank you for all your efforts to raise awareness of security in today's world.

Tangerine BlueMay 15, 2008 1:56 PM

I first started reading when my sparring partner, Chuck Norris, told me there was only one man alive he feared. Now I too am a Bruce-fearing man, and I live my life in the hopes to emulate His Example.

I enjoy Crypteeos breakfast cereal with Bob at Alice's Restaurant, for lunch I eat politicians alive at Pander Express, and I have economists over for dinner while we watch Security Theater.

Bruce, you've changed my life. Thank you.

johnmacdonaldMay 15, 2008 2:04 PM

Is it only ten years? I seem to recall reading the newsletter in the mid-90's, but that just proves my memory is getting weaker in old age. I was an early (but not first-day) subscriber, but for a number of years I have only read the blog - the subscription is lost in a mase of twisty little email address changes. With absolutely no facts to back it up, my opinion would have been that there were many more blog readers than newletter readers nowadays.

I've enjoyed and learned a lot from your writings, both the newsletter/blog and your books. (About five years ago I found that my son had taken "Applied Cryptography" off the computer room bookshelf and had it in his room for recreational reading. I guess that leavening fiction like "The Lord of the Rings" with non-fiction like "The Mythical Man-Month" for bedtime reading over the years had a positive effect. :-)

MuffinMay 15, 2008 2:58 PM

I don't know when I first subscribed anymore, but it must've been in 1999 or 2000.

Here's to another ten years - three cheers for you, Bruce! Keep up the great work! :)

mokum von AmsterdamMay 15, 2008 3:20 PM

For the love of chees I can not remember when you made an entry into _my_ security domain but I do know it was when we both where still pretty :P

Your postings [in what ever format] have always been thought provoking and stimulating, even when we disagree at moments. There is few people in the realm who cover so much ground as you do.

Thank you, a lot & for many things.

Adam CMay 15, 2008 3:26 PM

Bruce,

Thank you for your contributions to the "collective." I found your site via a Lawrence Lessig article and have read regularly ever since.

Thanks again, it is much appreciated.

AnonymousMay 15, 2008 3:27 PM

Bruce,

Thank you for your contributions to the "collective." I found your site via a Lawrence Lessig article and have read regularly ever since.

Thanks again, it is much appreciated.

Chris B.May 15, 2008 3:37 PM

I don't know when I subscribed, but I started keeping the grams in '03.

Thanks so much Bruce, your posts always give an incredibly lucid, logical look at some vitally important, and politically charged, issues. The world's a better place because you make correct answers easier to understand, and expose knee-jerk fluff answers for what they are.

And you also dig up some extremely key tidbits on squid.

Keep it up!

tonykMay 15, 2008 4:36 PM

I subscribed to Crypogram in late 2000, after reading your afterword in Neil Stephenson's Cryptonomicon. I'm still on the mailing list, though I tend to read it less now that I read your blog via RSS.

Thank you for 10 great years.

claudioMay 15, 2008 4:42 PM

You made me curious, so I took my 1998 mail archives and found this:
> ...
> Received: (from raphael@localhost) by
> grinder.visi.com (8.8.8/8.6.12) id EAA24899
> ...
> Subject: confirm subscribe to crypto-gram@chaparraltree.com
> ....
> Hi! This is the ezmlm program. I'm managing the crypto-gram@chaparraltree.com mailing list.
>...

ciao

- Claudio

LeahrMay 15, 2008 5:29 PM

I'm completely new here- I recently read Cory Doctorow's Little Brother and looked up your site after I read your afterword. Basically, I think your articles are brilliant, and the links are really interesting. "Thought-provoking" is an understatement. I started to notice news items and systems in a different way, and I've barely started to read your stuff!

For example: http://www.nytimes.com/2008/05/14/us/14visa.html?em&ex=1210996800&en=659393fd425fbf2d&ei=5087%0A
When I read that, I was waiting to hear your take on it.

So, congratulations on Crypto-gram's tenth! I am sad I missed so many issues, although I admit that when you started, I was too young to have really understood anything you said. But I guess it's not too late! I'm going to go read some back issues now.

Pat CahalanMay 15, 2008 5:59 PM

Every few weeks, someone comes to read the "Rudy Giuliani" post I wrote up in my blog that you linked to in the Feb. Cryptogram. I get visitors from the blog post links, too, but a solid chunk comes from either links from webmail services or from the crypto-gram summary page on this site.

So the email format is still alive and well. Keeping it and the blog simultaneously running was a great idea.

Brian EnigmaMay 15, 2008 6:27 PM

I know that I subscribed by emailing the address in the back of the first (blue cover) edition of Applied Cryptography. I was surprised by the personal response, as I assumed it would get processed by some sort of mailer-bot.

claudioMay 15, 2008 6:55 PM

@Brian Enigma:
you must be wrong, the blue cover edition is from 1993, checked right now, and a couple of years later the red edition was published. No Crypto-gram at that time

Clive RobinsonMay 15, 2008 7:27 PM

Is it only ten years, hmm seems longer but hey being on the wrong side of my "mid life... " it's probably due to now having creeky bits.

Not sure when I subscribed to the gram although like others I have the blue and red AC's on the book shelf amongst your other "works". I switched over to the blog fairly early on.

One point you did miss about why the gram/blog is so popular. You also published readers comments (both good/bad and pro/contry) in the gram and have since played a genial host on your blog.

Just a little sugestion as to an improvment for the blog, in these days of hand held mobile browsers and their limitations. Can you put a link back to your main blog page on the right hand pane of links?

It's just that the pesky browser on a lot of mobiles does not scroll back very fast and the right pane always ends up displayed after the comments pane.

Finaly keep up the good work and grinding away at what you see as wrong. I may sometimes disagree with your viewpoint but it always provides further insight.

SteveMay 15, 2008 7:51 PM

Congtrats on 10 years. I tripped over CG more recently - don't remember how - and found it a refreshing change from the hysteria of the news media. As Voltaire said, "Common sense is not so common." Wish the news channels would include your lucid commentary among their Chicken-Little reports.

By coincidence, I just started into "Secrets and Lies" a couple of days ago. A sense of humor makes tech stuff -- or any stuff -- a more enjoyable read, and I'm looking forward to it.

joeMay 15, 2008 11:30 PM

I'm 22, which means I've only *really* known how computers work for a good six years or so.

One day - it must have been in 2002 or 3? - I stumbled across Crypto-gram from a Slashdot story. At the time all I knew about security was that sometimes people got DDoSed and that you could get viruses from Outlook. Crypto-gram taught me what security *is*. Through your clear writing you taught me about cryptography (and why it's hard to do right), economics, the mindset of the attacker, the defender's dilemma (how to allocate resources - spread too thin and you might leave a hole; focus too narrowly and you won't cover the whole field), and most importantly I think, how to think about threats. I didn't stop with Crypto-gram: I followed your links and read what others had to say. I've read a handful of books on security (including Applied Crypto) and taken two college classes (one undergraduate, one graduate). I've been to three DefCons and two Toorcons. Security isn't my career, but it has easily taught me more about computing than any of the 'traditional' fields of study (algorithms, languages, etc). So thank you... thank you for enlightening me and teaching me. I've enjoyed reading your thoughts for the last six years, and I hope for many happy returns. And congrats - it's hard to spend a decade doing any single worthwhile thing in this industry :D

Mikko HypponenMay 16, 2008 1:36 AM

Congratulations Bruce. Crypto-Gram is the gold standard for security newsletters.

And *everybody* in this industry reads your blog.

Cheers,
Mikko

PrincehahahaMay 16, 2008 2:57 AM

Here's another Bruce Schneier fact:
Bruce Schneier doesn't write Crypto-Gram, he uses a true random generator to generate random strings and decrypts them into Crypto-Gram articles (or articles on this blog, maybe? :-)
Seriously, keep on the good stuff!

Jaromir PavlinecMay 16, 2008 3:04 AM

There's hardly anything to add... thanks a lot & please keep going!

Andrew GumbrellMay 16, 2008 6:16 AM

Congratulations, Bruce and keep up the good work.
It has been great to have highly technical matters explained by someone who can write good English, understands his subject so completely and yet lives in the real world.
My introduction to security was 11 years ago, when I found that I could read Applied Cryptography exactly as I would read a novel. I have been a fan of yours ever since.

andyMay 16, 2008 6:43 AM

Claudio beat me to it, but I was also able to find my subscription confirmation:

WELCOME to crypto-gram at chaparraltree dot com 7/21/1999 5:30:29 PM
From: crypto-gram-help at chaparraltree dot com [crypto-gram-help at chaparraltree dot com]
To: {removed my email - yes, i still have the same email address I used in 1999. Yes, it's a spam magnet.}
Cc:

--------------------------------------------------------------------------------
Hi! This is the ezmlm program. I'm managing the Crypto-gram mailing list.

Acknowledgment: I have added the address

{removed my email again}

to the distribution list for Counterpane Systems' Crypto-Gram newsletter.

Welcome to crypto-gram at chaparraltree dot com!

Please save this message so that you know the address you are
subscribed under, in case you later want to unsubscribe or change your
subscription address.


--- Administrative commands for the crypto-gram list ---

I can handle administrative requests automatically. Please
DO NOT SEND THEM TO THE LIST ADDRESS! If you do, I will not
see them and other subscribers will be annoyed. Instead, send
your message to the correct command address:


To subscribe to the list, send a message to:
:

To remove your address from the list, send a message to:
:

The messages do not really need to be empty, but I will ignore
their content. Only the ADDRESS you send to is important.

You can start a subscription for an alternate address,
for example "john at host.domain", just add a hyphen and your
address (with '=' instead of ' at ') after the command word:

To stop subscription for this address, mail:

In both cases, I'll send a confirmation message to that address. When
you receive it, simply reply to it to complete your subscription.

If despite following these instructions, you do not get the
desired results, please contact my owner at
crypto-gram-owner at chaparraltree dot com. Please be patient, my owner is a
lot slower than I am ;-)

RayMay 16, 2008 7:59 AM

Always insightful and informative. I am one that enjoys the email format. Keep up the fight. Waiting for the next email on the 15th...

Ray

Alan PorterMay 16, 2008 8:50 AM

Proud subscriber since 1999. And yes, Bruce, you've changed the way I think, for the better.

B.D.May 16, 2008 10:23 AM

Congrats, Bruce, and thank you for the thought provoking (and squidish) reading.

RobLMay 16, 2008 1:13 PM

You may not remember where the first 400-some subscribers came from, but I do. When I got a copy of Applied Cryptography, I emailed schneier@counterpane.com asking for a list of errata. Not long after I got an email announcing the creation of the crypto-gram newsletter. Wish I could still find that email...

GiuseppeMay 17, 2008 7:19 PM

Bruce, my first issue was November '98 and I've been enjoying them since.

Thank you very much for the great job.

GiuseppeMay 17, 2008 7:21 PM

p.s. while not the first 400, I'm sure some of the other subscribers in Nov. '98 came about due to a posting on MCI's ESTF mailing list recommending crypto-gram.

NirMay 18, 2008 8:03 AM

Bruce,

thank you for the superb newsletter.
It's delightful & mind stimulating to read your view of the world.

Keep up the good work,
Nir

FusionMay 18, 2008 4:50 PM

Thanks! Not just politeness; really thanks!

For a real contribution to the effort to make sense about voting systems.

And for the pleasure of reading clear thinking and explanations...

RayKMay 19, 2008 9:46 PM

Bruce

Thanks for continuing to do your work, Cryptogram, blog, and speaking included.

You continue to be a great influence on me, on the industry, and to the non-security people who read and hear you.

Keep up the great work!

SicoAugust 3, 2008 6:07 AM

Dear Bruce,

I am a long time reader of your excellent Crypto-Gram newsletter. Still, I have only just heard the May 2008 issue. Hereby my belated congratulations with the 10 year anniversary.

I totally agree with your assessment of how smart those two decisions were. In fact, I agree with a lot more of your opinions but mentioning them all here would be lengthy and boring.

I've never visited this blog before, and I am unlikely to ever repeat visit. I do not subscribe to the email version any more, I read Crypto-Gram on the Web site. For current news there's Bugtraq and the like. I read Crypto-Gram for opinions, insights, ideas.

But these days I get most of my Crypto-Gram information through the podcasts of Dan Henage. They are downloadable in mp3 form, so I can just put them on my mp3 player and listen to them as I commute without the need for mobile Internet or anything fancy like that. The KISS principle, if you wish.

Dan is also doing this for free, although I have occasionally clicked the Paypal donation button. I am very happy with the both of you, for the quality of the information and the ways in which it is delivered.

At the risk of showing my age, I have to say that providing valuable service for all and sundry without charging for it reminds me of the old days of the Internet, before Berners-Lee invented the Web.

Thanks again, and keep up the good work!

Sico (self-proclaimed information warrior).

--

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..