Entries Tagged "Schneier news"
Page 34 of 43
Schneier Motivational Poster
I’m tickled by the idea of a motivational poster with my picture on it, but want a more interesting/amusing/clever/inspirational caption. Ideas?
The ID Divide
Yesterday, the Center for American Progress published its paper on identification and identification technologies: “The ID Divide: Addressing the Challenges of Identification and Authentication in American Society.” I was one of the participants in the project that created this paper, and it’s worth reading.
Among other things, the paper identifies six principles for identification systems:
- Achieve real security or other goals
- Accuracy
- Inclusion
- Fairness and equality
- Effective redress mechanisms
- Equitable financing for systems
From the Executive Summary:
How can these principles be honored in practice? That’s where the “due diligence” process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.
In the pages that follow, we apply this due diligence process to some recurring technical problems with current and proposed identification programs. And we discover—as you’ll see toward the end of the report—that ID programs that rely on “shared secrets,” such as Social Security numbers or your mother’s maiden name, are becoming more insecure due to the increased use of identification. Similarly, ID programs based on biometrics such as fingerprints or iris scans are not the “silver bullets” that some proponents claim they are, but rather could become compromised rapidly if deployed in haphazard ways.
We then apply our progressive principles and due diligence insights to two current examples of identification programs. The first details why it would be bad policy to require government-issued photo ID for in-person voting. The second shows the basically sound policy rationale for the Transportation Worker Identification Card, used for workers with access to security-critical port facilities. By examining one identification program that is reasonable, and one that is not, our analysis shows the usefulness of the Progressive Principles for Identification Systems.
I participated in the panel discussion announcing this report, along with Jim Harper (Director of Information Policy Studies at the Cato Institute).
More Schneier Talks
Here’s an audio of my talk at the Weisman Art Museum in Minneapolis on March 27.
And a video from my talk at the Hack-in-the-Box conference in Dubai on April 16.
Crypto-Gram Tenth Anniversary Issue
Ten years ago I started Crypto-Gram. It was a monthly newsletter written entirely by me. No guest columns. No advertising. Nothing but me writing about security, published the 15th of the month every month. Now, 120 issues later, none of that has changed.
I started Crypto-Gram because I had a lot to say about security, and book-length commentaries were too slow and too infrequent. Sure, I was writing the occasional column in the occasional magazine, but those were also too slow and infrequent. Crypto-Gram was supposed to be my personal voice on security, sent directly to those who wanted to read it.
I originally thought about charging for Crypto-Gram. I knew of several newsletters that funded themselves through subscription fees, and figured that a couple of hundred subscribers at $150 or so would sustain itself very nicely. I don’t remember why I decided not to—did someone convince me, or did I figure it out myself—but it was easily the smartest decision I made about this newsletter. If I’d charged money for the thing, no one would have read it. Since I didn’t, lots of people subscribed.
There were 457 subscribers by the end of the first day. After that, circulation climbed slowly and steadily. Here are the totals for May of each year:
| 1999 | 15964 |
| 2000 | 33827 |
| 2001 | 45832 |
| 2002 | 58046 |
| 2003 | 66368 |
| 2004 | 75907 |
| 2005 | 83835 |
| 2006 | 87839 |
| 2007 | 92488 |
| 2008 | 98618 |
Those numbers hide a lot of readers, like the tens of thousands that read Crypto-Gram via the Web. I also know of people that forward my newsletter to hundreds of others. There are many foreign translations that have their own subscription list. These days I estimate that I have about 25,000 newsletter readers not included in those numbers.
I have no idea where the initial batch of subscribers came from. Nor do I remember how people subscribed before the webpage form was done. I do remember my first big burst of subscribers, though. It was following my special issue after 9/11. I wrote something short for the September issue, but I found that I couldn’t stop writing. Two weeks later, I published a special issue on the terrorist attacks. Readers forwarded that issue again and again, and I ended up with many new subscribers as a result.
Reader comments began earlier, in December 1998. I found I was getting some really intelligent comments from my readers—especially those that disagreed with me—and I wanted to publish some of them. Some of the disagreements were nasty. In October 1998, I started a column called “The Doghouse,” where I made fun of snake-oil security products. Some of the companies didn’t like being so characterized, and sent me threatening legal letters.
Turns out that publishing those sorts of threats as letters to Crypto-Gram was the best defense, even though my lawyers always discouraged it. None of these incidents ever went past the threatening stage, even though court papers were occasionally filed.
Over the years, Crypto-Gram’s focus has changed. Initially, it was all cryptography. Then, more computer and network security. Then—especially after 9/11—more general security: terrorism, airplanes, ID cards, voting machines, and so on. And now, more economics and psychology of security. My career has been a progression from the specific to the general, and Crypto-Gram has generalized to reflect that.
The next big change to Crypto-Gram came in October 2004. I had been reading about blogging, and wondered for several months if switching Crypto-Gram over to blog format was a good idea or not. Again, it was about speed and frequency. I found that others were commenting on security stories faster, and that by the time Crypto-Gram would come out, people had already linked to other stories. A blog would allow me to get my commentary out even faster, and to be part of the initial discussions.
I went back and forth. Several people advised me to change, that blogging was the format of the future. I was skeptical, preferring to push my newsletter into my readers’ mailboxes every month. I sent a survey to 400 of my subscribers—200 random subscribers and 200 people who had subscribed within the past month—asking. My eventual solution was the second smartest thing I did with this newsletter: to do both.
The Schneier on Security blog started out as Crypto-Gram entries, delivered daily. And the early blog entries looked a lot like Crypto-Gram articles, with links at the end. Over the following months I learned more about the blogging style, and the entries started looking more like blog entries. Now the blog is primary, and on the 15th of every month I take the previous month’s blog entries and reconfigure them into Crypto-Gram format. Even today, most readers prefer to receive Crypto-Gram in their e-mail box every month—even if they also read the blog online.
These days, I like both. I like the immediacy of the blog, and I like the e-mail format of Crypto-Gram. And even after ten years, I still like the writing.
People often ask me where I find the time to do all of that writing. It’s an odd question for me, because it’s what I enjoy doing. I find time at home, on airplanes, in hotel rooms, everywhere. Writing isn’t a chore—okay, maybe sometimes it is—it’s something that relaxes me. I enjoy putting my ideas down in a coherent narrative flow. And there’s nothing that pleases me more than the fact that people read it.
The best fan mail I get from a reader says something like: “You changed the way I think.” That’s what I want to do. I want to change the way you think about security. I want to change the way you think about threats, and risk, and trade-offs, about security products and services, about security rhetoric in politics. It matters less if you agree with me or disagree, only that you’re thinking differently.
Thank you. Thank you on this 10th anniversary issue. Thank you, long-time readers. Thank you, new readers. Thank you for continuing to read what I have to write. This is still a lot of fun—and interesting and thought provoking—for me. I hope it continues to be interesting, thought provoking, and fun for you.
Schneier Talks
Last month I gave a talk at InfoSecurity Europe in London. The title was “Reconceptualizing Security,” or maybe “The Theater of Security,” and it is a follow-on to my work on the psychology of security. I haven’t yet written this work up, but you can listen to or watch my talk.
Schneier Interviews
Two weeks ago I was interviewed on Dutch radio. The introduction and questions are in Dutch, but my answers are in English.
Three weeks ago I was interviewed on Anti War Radio. It was an odd interview, starting from my essay “Portrait of the Modern Terrorist as an Idiot” and then meandering into the role of government versus corporations in security.
This written Q&A was conducted on video even though it is presented as text, so it doesn’t read as well as the ones I’ve done via e-mail. This is a video interview from the RSA Conference.
And finally, three video interviews, one from the U.K. and two from Australia.
I’m not trying to brag. It’s just easier for me if these links are all in one place so I can search for them later.
Protect Your Macintosh Copies Available
In 1994, I published my second book, Protect Your Macintosh. You’ve probably never heard of it; it died a quiet and lonely death.
Going through some boxes, I found a dozen copies of the book: first and, I think, only printing. I’m willing to send one to anyone who wants one for $5 postage. (That’s in the U.S. If you’re elsewhere, we’ll figure out postage.) Please let me know via e-mail if you’re interested.
And I can assure you that, fourteen years later, there’s absolutely nothing of practical value in the book. This offer should only interest collectors. And even them, not that much.
I also have seven copies of my third book, E-Mail Security, from 1995, which also has nothing in it of any practical value anymore. Again, $5 for postage.
EDITED TO ADD (5/3): Sold out; sorry.
Sidebar photo of Bruce Schneier by Joe MacInnis.