Bloggers on Blogging: Bruce Schneier

Bruce Schneier started his immensely popular blog Schneier on Security in October 2004. He is the CTO of BT Counterpane and the author of eight books, including the bestselling Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Secrets and Lies: Digital Security in a Networked World, Applied Cryptography, and Practical Cryptography.

Bruce, 44, has a B.S. in Physics from the University of Rochester and an M.S. in Computer Science from American University. He created the the influential Blowfish and Twofish encryption algorithms, has testified before Congress, and has served on several government technical committees. He serves on the Board of Directors of the Electronic Privacy Information Center and as an advisor to the EFF and the ACLU. Bruce lives in Minnesota with his wife, Karen Cooper, and their two cats.

What is the first weblog you read?

I honestly don’t remember, but I know I’m a latercomer to blogs. I started reading political weblogs regularly during the 2004 election cycle. Before that, I dipped into some friends’ weblogs once in a great while.

Why did you start your weblog?

Since 1998, I have published a monthly e-mail newsletter called Crypto-Gram. It consisted of essays on different security topics, often prompted by news articles, as well as links to other news articles and webpages I wanted to point people towards. It was very popular, and I enjoyed doing it.

Various people suggested I turn Crypto-Gram into a blog, but I resisted. The monthly schedule allowed me to let a story unfold for a while before writing about it. It also allowed me to write when I wanted to about what I wanted to. I didn’t want to be forced to write something every day, and I couldn’t imagine either having enough time or enough material to write something every day. So I continued to keep Crypto-Gram as a monthly publication.

The problem was that other blogs would rarely link to my essays, because by the time I got around to publishing them it was all old news. So the Schneier on Security weblog started out as a way to pre-publish Crypto-Gram essays, allowing other blogs to pick them up. And initially, that’s what the blog was. But slowly, over the months, the entries became more blog-like. I started writing more blog-like entries. I started quoting material the way blogs do, which is something I rarely did in the original version of Crypto-Gram.

And slowly, instead of Schneier on Security being a blog version of Crypto-Gram, Crypto-Gram became a monthly e-mail version of my blog. And that’s how I write it. I cut and paste all the blog posts from the past month, re-edit and re-organize them, and send them out in a single e-mail.

What is your site about?

Schneier on Security is about…well, it’s about security. Primarily I write about technological security, and the intersection of security with economics and politics and psychology. Lots of computer security and cryptography, which is where I started my work in this field, but also about real-world security: terrorism, crime, and so on. I write about voting machines, national ID cards, airline passenger profiling, databases, identity theft, counterfeiting, security law, and the notion that security is always a trade-off.

How often do you update?

When I started my weblog, I updated it at least once every weekday—usually in the morning. That’s changed as I’ve found more things to write about. Now it’s twice a day, and sometimes three times a day if I have enough backlog. I generally schedule my posts in advance, sometimes days in advance. I’ve gone on week-long vacations with twice-daily posts scheduled; no one even knows I’m gone.

How much traffic do you get?

That’s a hard question to answer. My stats tell me that I get about 95,000 unique visitors a day and 220,000 pages views per day. RSS feeds are on top of that: about 20,000. And, of course, 125,000 people get the same material once a month in Crypto-Gram. I’m sure there’s some overlap between blog readers and Crypto-Gram subscribers, though.

Wow, that’s a lot of people. With all of your writing and speaking and blogging, do you have any sense that you’re reaching the policy-makers?

I wish I knew who my writing reached. I get a lot of mail, both fan mail and long well-thought-out discussions of different aspects of my writing, so I know people read and think about what I write. But I don’t know much about the type of people who read me. My suspicion is that I reach a lot more policy-makers though my newspaper op eds than my blog and Crypto-Gram, although I know a lot of reporters read me daily.

What is your blog’s rank on Technorati?

I generally rank in the 120s. I’ve seen it as high as 100, but that was just once.

Do you make money on your site?

I don’t, at least not directly. I know I could make money advertising on both my blog and in Crypto-Gram because of their focus on security, but I haven’t felt the need to yet. As long as I have a job and a salary, I’d like to stay away from advertising. But sooner or later I may succumb.

But I do make money from speaking, article writing, and consulting. And the blog supports all of that.

Which tool do you use? Why?

Movable Type, for no particular reason.

Has your weblog led to any other opportunities?

Everything I do supports everything else I do. So it’s hard to tell what leads to what: my work, my public speaking, my books, my essays and op-eds, my blog and Crypto-Gram. Everything leads to everything else, I guess.

How do you choose items to link?

I link to items that interest me. Sometimes it’s because the topic is one that I’m writing about. Sometimes it’s because the topic is one that I’m not writing about. What I like best are links that illustrate a particular general point about security and security technology. Often I use news items as a jumping-off point for a more general security essay. When I do that, I search for other links that can be used in context.

My weekly squid posts—those are easy to find.

How do you handle corrections?

It depends. If it’s a simple typo, I just make the change. I go back and forth about deleting the comment that mentions the typo—once the correction is made the comment doesn’t make sense anymore—but so far I’ve just left them. If I have a substantive correction, or an addition, I append an update at the bottom of the post. When I compile the posts into Crypto-Gram every month, I make many corrections, additions, and updates.

Where do you find interesting links?

I find links everywhere. Often readers mail them to me. Sometimes I find them on the various news sites I visit. Sometimes I find them on other security blogs.

Any surfing secrets?

Tabbed browsing. Civilization would collapse without it.

How long does it take you to write an entry?

Some blog entries take under a minute to write; those are just short posts with a link and perhaps a single comment. I write the post, give it a quick editing pass, and then schedule it for posting. I often do these throughout my day, as I stumble upon things I want to post.

Longer essays can take days to write. Sometimes the topic is one I’ve been thinking about, and other times the topic stems from some news story. I have a monthly column for the Forbes website and a biweekly column for—and I write regular newspaper op-eds—so many of the longer essays appear in one of these places before I post them. I spend a lot of time on these essays: drafting, rewriting, editing. Often I send drafts of the essays to other people to read and comment on.

My agreement with all my other publishers is that they get to publish them first, and then I can reprint them on my blog. So I schedule them to post a few hours after they go live on the publisher’s site.

Do you ever write to deliberately provoke a reaction? Any tips on how to do that?

I have never written a blog post with the thought: “This will certainly get a reaction from the community.” Sometimes my essays are provocative, but never deliberately. And I’ve learned over the years that I cannot predict which posts will generate a lot of comments and which won’t.

Has blogging affected your non-blog writing (apart from Crypto-Gram)?

Blogging means thinking in terms of hypertext: quoting and linking. In some ways I think it’s sloppier, because I can always quote from the original material instead of summarizing it. In the original days of Crypto-Gram, before I started my blog, I would include a list of links at the end of entries. I like being able to embed those links directly into the text. When I convert those blog postings for Crypto-Gram, I move all the links to the bottom. It’s interesting to work in both a text-based and HTML-based medium at the same time.

How many hours online do you spend a day?

It varies. When I’m traveling, I might only spend an hour a day on line, maybe less. When I’m home, I can spend all day on line. I certainly try to visit the Net regularly: much of my work and social interactions happen online these days.

That’s true of everyone I know. How early were you on the Internet, and at what point, for you, did it change from being a communications/publication tool and become a social device?

I got my first e-mail address around 1987, and it was a social device long before it was a communications/publication tool. It’s simply a matter of critical mass; as soon as my friends were on the Internet, I used it to talk with them. And the change happened gradually. I remember that sometime in the mid-1990s I stopped mailing paper invitations to my parties at home, and simply used e-mail.

When do you blog?

Whenever I can. I don’t have a standard day. Often I’m traveling, or I have other work to do. So I blog whenever I can.

How many weblogs do you follow?

About fifty. Not all every day, of course.

How do you find new weblogs?

I find new weblogs in two ways. Either I follow a link from another weblog, or a reader points me to one.

In your reading, do you actively seek out differing points of view?

I always try to look for different points of view and opinions: that’s where the interesting stuff is. I do it by reading things that I know I will disagree with.

How much reader email do you get? Are you able to answer it all?

One of the properties of the Internet is that it takes interactions out of their normal social context. If I were at a gathering and I saw someone who I wanted to talk to, I would see him in context. If he were mobbed with people, I might decide to talk to him later. If he were engrossed in work, I might decide to say hello in passing. If he looked bored, I would be more likely to engage him in conversation.

The Internet lacks this context. When you send someone an e-mail, you send it into the void. Is the recipient busy? Is he feeling like talking? Has he been deluged with dozens of similar e-mails? You have no way of knowing.

I get a lot of reader e-mail. I try to read all of it, because a lot of it contains good suggestions for things to post. But far too much of it involves requests for my time: for an opinion, a suggestion, a recommendation. All are well-meaning, from people I either don’t know or maybe have met once or twice at a conference. Individually, each of these e-mails is a reasonable request, and simple enough to answer. Maybe each would only require five to ten minutes of time. But dozens a day…it’s just too much.

Still, I try to answer it all, even if it is to just say that I’m too busy to answer properly.

Do you ever receive abusive email or comments? How do you handle it?

I get abusive e-mail regularly; I ignore it. And when I find abusive blog comments—whether they are abusive to me or to another commenter—I delete them. Disagreement is good, but I have some minimal standards for polite discourse.

I find that some days updating my site is more satisfying than others. Is there a certain type of entry, or a certain kind of day that is most satisfying for you?

I prefer substantive essays to one-line link posts. They’re more interesting and more satisfying to write.

What is your advice for a new blogger?

Just do it. Don’t worry about being boring. Don’t worry about being interesting. Just do it.

What about books, film, television and other offline media—do you have time for it now?

I have never been very good at mass media. I go months without turning on a television—and have gone years without owning one—and I rarely go to movies. I do read a lot: books, magazines, essays. I travel a lot, and I like having a variety of things to read. It’s not uncommon for me to print something off the Internet for later reading.

What catches your attention in a weblog?

Good information that I didn’t know before.

How has your weblog changed your life?

It’s just another damn thing that ties me to my computer.

What are your hobbies?

Food: cooking and eating. My wife and I write restaurant reviews for the Minneapolis Star-Tribune and other publications.

What is the most telling thing about you?

The fact that I don’t answer questions like this.

Mac or PC?

PC. Windows. I catch a lot of hell over this from readers, but it’s just easier for me. I would very much like to be a Linux user, if for no other reason than the political statement. But I don’t do my own tech support, and I don’t want to learn, so I use what my company uses.

Would you read your site?

All sorts of people read my site. Cryptography and computer security nerds, people interested in national security, relatives. I write for a general audience, and that’s what I think I have.

Categories: Text, Written Interviews

Sidebar photo of Bruce Schneier by Joe MacInnis.