×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier on Security

samzenpus posted more than 5 years ago | from the protect-ya-neck dept.

Security 204

brothke writes "There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy. Witness the mammoth growth of airport security products following 9/11, and the sheer number of vendors at security conferences. With that, government officials and corporate executives often think you can simply buy products and magically get instant security by flipping on the switch. The reality is that security is not something you can buy; it is something you must get." Keep reading for the rest of Ben's review. Perhaps no one in the world gets security like author Bruce Schneier does. Schneier is a person who I am proud to have as a colleague [Schneier and I are both employed by the same parent company, but work in different divisions, in different parts of the country]. Schneier on Security is a collection of the best articles that Bruce has written from June 2002 to June 2008, mainly from his Crypto-Gram Newsletter, his blog, and other newspapers and magazine. The book is divided into 12 sections, covering nearly the entire range of security issues from terrorism, aviation, elections, economics, psychology, the business of security and much more.

Two of the terms Schneier uses extensively throughout the book are intelligence and economics. From an intelligence perspective, he feels that Washington has spent far too much on hardware and other trendy security devices that create a sense of security theater. The security theater gives an aura and show of security, but in reality, has little real effect.

The lack of intelligence is most manifest with airports, which are a perfect example of misguided security. Schneier notes that current trends in US airport security requires that people remove their shoes, due to a one-time incident with shoe-based explosive. Such an approach completely misses the point. Also, Schneier notes that the attempt to create a no-fly list, by feeding a limited set of characteristics into a computer, which is somehow expected to divine a person's terrorist leaning, is farcical.

Schneier therefore feels that the only way to effectively uncover terrorist plats is via intelligence and investigations, not via large-scale processing of everyone. Intelligence is an invaluable tool against terrorism, and the beauty of it is that it works regardless of what the terrorists are plotting. The bottom line according to Schneier in the book is that too much of the United State's counterterrorism security spending is not designed to protect us from the terrorists; but instead to protect public officials from criticism when another attack occurs.

Schneier also astutely notes that for the most part, security is not really so much of a technical issue, rather one of economics. A perfect example he gives is that of bulletproof vests. Since they are so effective, why doesn't everyone wear them all of the time? The reason people don't is that they do not think they are worth the cost. It is not worth the money or inconvenience, as the risk of being shot for most people is quite low. As a security consumer, people have made the calculation that not wearing a bulletproof vest is a good security trade-off. Schneier also notes that much of what is being proposed as national security is a bad security trade-off. It is not worth it and as consumers, the public is being ripped off.

Another recurring theme throughout the book is how the Bush administration has little by little eroded the Constitution, all in the name of fighting terrorism. Schneier notes that the brilliant framework the founding fathers created by creating divisions of power (executive, legislative, judicial) with checks and balances violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes. Since there is a certainty that government powers will be abused.

Schneier observes that the USA PATRIOT is a perfect example of this abuse. The Constitution was designed and carefully outlines which powers each branch may exercise. While Schneier is best-known as a cryptographer and security expert, Schneier on Security also shows him to be a defender of the Constitution. In a number of essays in the book, he shows how unchecked presidential powers is bad not only for security, but for the preservation of democracy.

In chapter 8, on the topic of the economics of security, Schneier suggests a three-step program for improving computer and network security. He notes that none of them have anything to do with technology; they all have to do with businesses, economics, and people.

In chapter 9, on the psychology of security, Schneier writes that he tells people that if something is in the news, then they do not have to worry about it. He writes that the very definition of news is something that hardly ever happens. It's when something is not in the news, when it is so common that it is no longer news, drunk drivers killing people, domestic violence, deaths from diabetes, etc., that is when you should start worrying. And much of the terrorist threats that the Department of Homeland Security is spending tens of billions of dollars on, are those news threats, such as shoe bombers and liquid explosives that present very little real threat to the people of the US.

A fundamental theme of the book is that security is a trade-off. And far too many people have made the security trade-off without thinking if it is truly worth it. In essay after essay, Schenier challenges those assertions. Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it?

Schneier on Security is an exceptionally important book that is overflowing with thought-provoking articles. Schneier gets above vague adages such as the war on terror and gets to the heart of the matter. His insight details what the real threats are, and what we should really be worrying about. The irony is that what Washington does is often the exact opposite of what should be done.

Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack. Schneier on Security is a manifesto of what should have been done, and what should be done. The book is eye-opening from the first page to the last. It lets you know that the next time you see grandma asked to take her shoes off by a TSA agent at the airport, why she is simply a bit player in the large security theater. And why spending tens of billions on a charade like that, makes that a tragedy of epic proportions.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Schneier on Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

204 comments

Afterword (4, Interesting)

mcgrew (92797) | more than 5 years ago | (#25444435)

Two things:

First, Van Gogh painted Bruce Schneier's portrait [petroz.com] over a hundred years ago.

Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.

Secondly, I want to point to an afterward to Cory Doctorow's Little Brother [craphound.com] . Bruce Schneier writes:

It's how security people think. We're constantly looking at security systems and how to get around them; we can't help it.

This kind of thinking is important no matter what side of security you're on. If you've been hired to build a shoplift-proof store, you'd better know how to shoplift. If you're designing a camera system that detects individual gaits, you'd better plan for people putting rocks in their shoes. Because if you don't, you're not going to design anything good.

So when you're wandering through your day, take a moment to look at the security systems around you. Look at the cameras in the stores you shop at. (Do they prevent crime, or just move it next door?) See how a restaurant operates. (If you pay after you eat, why don't more people just leave without paying?) Pay attention at airport security. (How could you get a weapon onto an airplane?) Watch what the teller does at a bank. (Bank security is designed to prevent tellers from stealing just as much as it is to prevent you from stealing.) Stare at an anthill. (Insects are all about security.) Read the Constitution, and notice all the ways it provides people with security against government. Look at traffic lights and door locks and all the security systems on television and in the movies. Figure out how they work, what threats they protect against and what threats they don't, how they fail, and how they can be exploited.

Spend enough time doing this, and you'll find yourself thinking differently about the world. You'll start noticing that many of the security systems out there don't actually do what they claim to, and that much of our national security is a waste of money. You'll understand privacy as essential to security, not in opposition. You'll stop worrying about things other people worry about, and start worrying about things other people don't even think about.

Sometimes you'll notice something about security that no one has ever thought about before. And maybe you'll figure out a new way to break a security system.

That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.

Re:Afterword (5, Insightful)

Creepy Crawler (680178) | more than 5 years ago | (#25444595)

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

Re:Afterword (4, Insightful)

gnick (1211984) | more than 5 years ago | (#25444857)

People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

Sometimes, but I don't think that it's about some smart-person-persecution system. The big problem is that, if somebody points out a security hole, it must be fixed. Even if the hole has been noticed before but was ignored because the odds of exploitation are so remote as to negate the sense in repairing it, once it's been reported it must be addressed - The risk of exploitation is now magnified greatly because of the liability lying on whoever ignores the request - Nobody wants to hear "I told you so" after a security incident. So, if the weakness is ludicrously expensive to fix and very minor, you are correct that it will probably annoy whoever you point it out to. It's not that they don't like you because you're smart, it's because they may have to do something silly or possibly face the consequences of exposed inaction.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

That's kind of messed up. Maybe you've worked in some really dysfunctional places, but just throwing in the towel is doing a disservice to everyone involved. Just be sure you do a critical assessment of what you're suggesting before voicing it formally so that you can be sure that you're really improving things instead of making them worse. Otherwise, like Schneier points out, everyone winds up removing their shoes and throwing away their shampoo as a reaction to a couple of very remote threats.

Of course, there are obvious exceptions.

Re:Afterword (1)

Creepy Crawler (680178) | more than 5 years ago | (#25445067)

That's the thing: all security can be broken. All security has some sort of a hole or another. People do not want to hear about "possible avenues of attack".

Security really comes down to trust: do you trust the person you hired to not sell the company out or do evil to the company?

The problems that beget lower security can be attributed to a cost of business.

Re:Afterword (1)

Vellmont (569020) | more than 5 years ago | (#25445723)


That's the thing: all security can be broken. All security has some sort of a hole or another.

While this is true, you ignore the most important point. All security holes are not created equal. There's some VERY dumb security problems I've come across or heard about over the years that would be VERY easy to exploit. Most (if not all) of them have been fixed. There's others that would be much more difficult to exploit.

You're correct that people don't want to hear about "possible avenues of attack". They want a security guy to do his/her job and say "this problem should be fixed, as it's highly likely to be exploited, and can cause severe damage".


Security really comes down to trust: do you trust the person you hired to not sell the company out or do evil to the company?

All security isn't internal. But on some level, you're right that internally there's a lot riding on the trust relationships. For those cases where there isn't any trust, security is about economics. How hard is it to break the security, how much risk of getting caught is there, and what's the benefit to doing so? You only need to make it not worth it to jump the fence.

Re:Afterword (1)

burris (122191) | more than 5 years ago | (#25445201)

That's kind of messed up. Maybe you've worked in some really dysfunctional places

You mean, there are places in the security business that aren't dysfunctional?

That's why I stopped working in IT security. Employees punished for trying to help, incredible amounts of snake oil, kickbacks for purchasing snake oil, totally clueless people attracted to the "spook" aspect, people and vendors acting "spooky" for no good reason, and did I mention the spook wannabes?

Re:Afterword (0)

Anonymous Coward | more than 5 years ago | (#25445279)

Keep in mind the old saying "it's not what you say, it's how you say it". It's not uncommon amongst us "nerds" to be socially unaware enough that when explaining something to another person we come off as arrogant and demeaning. This has the adverse affect of others wanting to see you "punished" because they believe you are causing trouble and being an ass.

So while I agree it's not a "smart-person-persecution system" it's often more than just that someone has to fix something.

Re:Afterword (5, Interesting)

cvd6262 (180823) | more than 5 years ago | (#25445027)

Amen.

I recently relocated to a rather rural area and I've met a lot of... shall we call them "simple" people. They look like country bumpkins, and many rarely leave the area, but several have surprised me with their insights.

One was an older man who worked construction his whole life. He once flew out to see his son's family in another state. While waiting to board his return flight he was sitting facing the key-pad door that led to the tarmac. He heard one person type "Beep... Beep... Beep... Bip-bip-bip." Then another. He realized that the six-digit code was three different numbers, followed by three identical numbers.

So he watched. After fifteen minutes he got the code. It was something like "264000." He wrote it on his boarding pass. When we handed the pass to the attendant at the gate she asked, "Sir, do you need this number?" He responded, "No, I don't need the code to your locked door over there." And then he boarded the plane.

A few minutes later two airport police officers came on the plane and asked him if he'd mind answering a few questions. He missed his flight (though they took mercy on him and put him on a later flight) while he was read the riot act. At no point did anyone thank him, nor did it seem that they were willing to find fault with their system or people who let out their ubersecret code.

He was wrong for hearing the code. He was wrong for watching the employees type the code.

Re:Afterword (1)

spidr_mnky (1236668) | more than 5 years ago | (#25445855)

I sympathize with the guy, because he sounds a lot like me, but just to play devil's advocate, here:

Yes, the authorities were being jerks, but that's not really a surprise. He might have anticipated this and either kept the observation to himself, or at least taken a moment to explain that he'd watched it, and wasn't any kind of threat, rather than acting shady.

The gold from Fort Knox probably isn't sitting behind the door to the tarmac. Odds are that the lock is just there to keep people from wandering out there. People have an amazing ability to go places and do things that they really, obviously should not. Most security measures are not taken against geniuses but idiots.

Like I said, my heart goes out to him, because he sounds like a cool guy, but it does sound like he brought trouble on himself, probably just by momentary lack of forethought.

If, on the other hand, someone had left the door open, perhaps they would be more receptive to a quiet mention of that fact. It doesn't make him look mysterious (suspicious), and to acknowledge the pessimistic side, the cost to fix it less than the cost to punish.

Re:Afterword (1)

Workaphobia (931620) | more than 5 years ago | (#25446141)

That is a perfect example of the exact trade-off security-conscious people must deal with.

Suppose that all people who attempt to break a system were entitled to do so if they come forward with their methods. This would allow anyone to commit any number of attempted felonies so long as they were not successful. My own counterargument would be that the person who would exploit these holes for malicious purposes wouldn't come forward and thus would be unstoppable if we assume that they aren't caught.

Still, by prosecuting or at least harassing even good-intentioned trespassers, it serves the purpose of deterring some cross-section of would-be offenders regardless of their intent.

Re:Afterword (2, Insightful)

JustinOpinion (1246824) | more than 5 years ago | (#25445109)

Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

Only because people have no clue about security.

When most people hear about a security vulnerability, they do indeed think that they have two options:
1. Fix it.
2. Bury all information about it.

The reality is that the third option is the one that is frequently the right one: Acknowledge it and move on. Security vulnerabilities are everywhere. It's better to be aware of them than not. And yes it's a good idea to fix them if doing so is not overly onerous. However it is not always necessary to fix them all.

For instance a store may not put magnetic tags on the chocolate bars they sell. Is the correct solution to tag everything? No, it's probably better to rely on people's (generally) good nature, the vigilance of employees, and then simply accept that a few chocolate bars will get stolen. It is cheaper (and less annoying for customers) to accept the losses. Or a movie theater can be tricked by having people exit with already-used tickets, and bring other friends in using them. Is the correct solution to require that everyone going to the movies show ID every time they enter the theater? No, it's better to simply accept the occasional teenager who "beats the system." Oftentimes the best "security" is just social norms. (Think of how much harm you could do, how much stuff you could steal, on a daily basis if you felt no remorse.)

Many geeks make this mistake, too (possibly because they are used to thinking about computer security, where applying a fix usually makes sense because the coding cost is fairly small compared to the damage that a exploit can cause).

I wish more people understood that security is a tradeoff, so that when someone points out a security hole, the people in charge can be honest and either say "that's not a sufficient concern to warrant fixing" or "that's a good point--we'll fix that now".

Re:Afterword (1)

cdrguru (88047) | more than 5 years ago | (#25445853)

You are thinking it is still 1950. Relying on people's good nature will get you a rude surprise today. It isn't 1950 and Mrs. Cleaver doesn't live up the street. Indeed, most people aren't feeling remorse.

In the town where I live they put up lights along a bicycle path. The path is relatively isolated from other homes so at night there is nobody around. Some people figured this out and removed all of (3 or for miles worth) the electrical wire for the lights. Probably got several hundred dollars for it at the recycling center. The city is going to rewire the lights, giving some other enterprising person another windfall because the lights simply cannot be protected.

As to how much the average person could steal, stores are facing that every day. Your average retailer is looking at 2% to 5% in shrinkage, every day. You wonder why more and more stores are checking people as they leave? It is because it is proven over and over that it is no longer a small minority that steal. It is everybody. Societal norms have completely broken down.

Re:Afterword (1, Informative)

Anonymous Coward | more than 5 years ago | (#25446339)

because the lights simply cannot be protected.

No; that's bull. It's because nobody can be bothered to protect the lights. You know people come along and steal them. Put police out in hiding and wait and catch them. Yes, it costs more than the cable, but it's an investment. Yes they might get a light sentence this time because they are first time offenders, but next time they won't be. This is the most valuable lesson of New York's zero tolerance campaign. That ignoring small crimes that only affect "little people" like me and you is what causes everything to go wrong.

The shop lifters are the same people every time. You should try two experiments. Firstly; pick a random person for help in a station (really carefully); ask how to do something. Secondly, stand around looking a bit in need of help then when someone offers as the same question. In the first case you will always get good advice. In the second it will depend from place to place, but you will often get bad advice. Most people are fine, but are just to tired to go looking for people to help.

Re:Afterword (1)

Cowmonaut (989226) | more than 5 years ago | (#25445327)

Change has to start somewhere. People being selfish/apathetic like this is part of why things like the USA PATRIOT act get passed.

Mod me +1 Wishful Thinking. I just shudder to think of a world where no one stands up and tries to make their homes better. The sheer amount of will it takes is staggering, but the results are worthwhile.

Re:Afterword (0)

Anonymous Coward | more than 5 years ago | (#25445415)

Unless a system of security admin where your job is locking stuff down... NEVER report vulnerabilities. At best you are first to get fired.

If you want to do something, send an anon message via a proxy or open wireless with details. Even better, use the exploit and without losing anonymity, make the IT department get as much egg on their face as possible.

If its an OS or app bug, post it anonymously everywhere... it may actually get it fixed. Telling them first will get a gag order on you in a matter of bours.

Re:Afterword (1)

nine-times (778537) | more than 5 years ago | (#25445705)

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

Maybe because, in most cases, security is meant to deter the casual threat. You don't need to be some kind of super-spy to break into my apartment, but then the purpose of having a lock on my door isn't to keep super-spies out. Still, I don't particularly want you standing outside my door offering tutorials on how to pick my lock.

Re:Afterword (1)

DragonWriter (970822) | more than 5 years ago | (#25445857)

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated.

This has nothing to do with smart people, it has to do with people who undermine the purpose of the system. In the case of "security" systems, many of them are not intended (from the point of view of at least some of the responsible parties: often there is a conflict) to provide security, they are intended to provide the appearance of security, which means that, contrary to what the "smart" people assume, those "smart" people are not pointing out failures to meet the actual design goal and thereby helping the system work better, they are directly undermining the actual design goal.

If you're really smart, you won't assume that people whose vested interest is in the appearance of security are concerned with the reality of security, or vice versa. And if people are concerned with the latter and you see a problem with the latter, you will make sure that, if you raise it at all, you do it in the context of how it is an inevitable problem with the former because someone hostile will inevitably discover it, and how the best way to fix it is the way that happens to provide actual security.

Its easier to get the response you want by showing people how that advances the intersts that they actually have, rather than the interests you think they should have. (You can work on changing priorities, too, but that's generally a longer term project, and even that can't work unless you are conscious of where people are coming from to start with.)

 

Re:Afterword (1)

Workaphobia (931620) | more than 5 years ago | (#25445899)

As convincing and well-established that argument is in our world, it doesn't extend indefinitely to the real one. When someone doesn't lock their door, you don't reward the guy who sneaks into everyone's house to prove he can. There are some areas where you know that insecurity exists, and rely on individual prosecution or ignorance (security through obscurity) to make the system maintainable. Near-perfect security is difficult and cumbersome, so why invest in it for anything but the most critical systems?

Re:Afterword (1)

IsaacD (1376213) | more than 5 years ago | (#25446195)

i went to work for a credit card processing vendor... shortly into the short, 120-day stay, i discovered serious security flaws, including weak encryption schemes, and even injection vulnerabilities... the software had been written by offshore sources that were either very apathetic or very junior... when i brought this to the attention of my seniors i was just told to keep it quiet... i left VERY quickly after this... this was, i discovered, during the times that they were in talks to be acquired by american express... so, they were acquired and amex inherited a lemon, and the founders of the acquired company made out fat... the last i heard, this company was hemorrhaging clients...

Re:Afterword (1)

geekmux (1040042) | more than 5 years ago | (#25446277)

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

Obviously, you've never held a Security position where you get paid to NOT STFU.

That being said, this is also one of the main reasons I will NOT take a Security position unless I have the power to say NO in policy and procedure when necessary, and that decision be upheld and supported by the highest positions in the company.

Without TRUE support, you're asking to get hung out to dry, for all the reasons you pointed out.

Re:Afterword (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25444599)

Is she illin with the panicillin?
Is she reelin in the panicillin?
Is it feelin with the panicillin?
Are you steelin in the panacillin?

Panka Panka

Is she liable no suitifiable no not on trial but so suitifiable
Is she viable no suitifiable pliable style is so suitifiable
so reliable no suitifiable shes not on file but so suitifiable
im on the dial its so suitifiable its like im liable but more suitifiable

Re:Afterword (4, Insightful)

Penguinoflight (517245) | more than 5 years ago | (#25444753)

I like the idea of security systems working against their intended purpose. It reminds me of a recent incident at the office/retail complex where I work.

There's a fountain in the middle of a round-about, the intended purpose is to entertain visitors to the resturaunts around it. This fountain had multiple signs worded "Smile, you are being recorded"; a somewhat polite reminder to behave so to speak. Of course, there aren't any places to hide cameras in the nearby buildings, and there are no cameras installed. Someone figured this out, and put soap in the fountain. Now there are no friendly warning signs.

It was surely interesting that the poster of these signs wasn't intelligent enough to figure out that the signs would not deter bad behavior, but did understand after the fact.

Re:Afterword (1)

spidr_mnky (1236668) | more than 5 years ago | (#25445917)

They probably encouraged it. If you're getting away with something, or getting the better of someone, that's tempting. If you're just abusing the helpless, that makes most people feel like a jerk.

Hanging an open padlock on a door is going to attract a few people that would probably otherwise ignore it.

Re:Afterword (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25445137)

Two things:

First, Van Gogh painted Bruce Schneier's portrait [petroz.com] over a hundred years ago.

Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.

Secondly, I want to point to an afterward to Cory Doctorow's Little Brother [craphound.com] . Bruce Schneier writes:

It's how security people think. We're constantly looking at security systems and how to get around them; we can't help it.

This kind of thinking is important no matter what side of security you're on. If you've been hired to build a shoplift-proof store, you'd better know how to shoplift. If you're designing a camera system that detects individual gaits, you'd better plan for people putting rocks in their shoes. Because if you don't, you're not going to design anything good.

So when you're wandering through your day, take a moment to look at the security systems around you. Look at the cameras in the stores you shop at. (Do they prevent crime, or just move it next door?) See how a restaurant operates. (If you pay after you eat, why don't more people just leave without paying?) Pay attention at airport security. (How could you get a weapon onto an airplane?) Watch what the teller does at a bank. (Bank security is designed to prevent tellers from stealing just as much as it is to prevent you from stealing.) Stare at an anthill. (Insects are all about security.) Read the Constitution, and notice all the ways it provides people with security against government. Look at traffic lights and door locks and all the security systems on television and in the movies. Figure out how they work, what threats they protect against and what threats they don't, how they fail, and how they can be exploited.

Spend enough time doing this, and you'll find yourself thinking differently about the world. You'll start noticing that many of the security systems out there don't actually do what they claim to, and that much of our national security is a waste of money. You'll understand privacy as essential to security, not in opposition. You'll stop worrying about things other people worry about, and start worrying about things other people don't even think about.

Sometimes you'll notice something about security that no one has ever thought about before. And maybe you'll figure out a new way to break a security system.

That's just a snippet, as the book is one long HTML page do a word search on "Bruce Schneier" to find the afterword.

That painting looks like Chuck Norris to me.
http://www.oktat.com/pictures/img/chuck_norris_01.jpg
http://www.petroz.com/Vincent-Van-Gogh/images/vincent_van_gogh_16.jpg

Re:Afterword (1)

cdrguru (88047) | more than 5 years ago | (#25445695)

A security system in a store that simply moves the thieves next door is accomplishing the objective of the shopkeeper. Absolutely, and at minimal cost. Catching shoplifters is not the objective, it is the prevention of theft.

A basic problem we are now faced with in the US is that 50 years ago societal pressure was enough to ensure that most people obeyed the law, were nice to other people and we generally had a civil society. These pressures are breaking down, in some ways because of unassimilated immigration and changing attitudes. Also because of increased population. So what defined perfectly adequate security in a civil society doesn't work at all today.

Take the example of the restaurant. 50 years ago most people would not conceive of going to a restaurant, eating and not paying. The few that tried it were often stopped by other patrons. Today? Better have something stronger in place. The other patrons aren't going to be any help.

Security where everyone is a potential threat is a completely different game than the way the US has been playing since the 1700s.

Re:Afterword (3, Interesting)

mcgrew (92797) | more than 5 years ago | (#25445875)

Well, I was only six 50 years ago, but it did seem that there were fewer thieves. Certainly our governments and industries weren't run by thieves like they are now. But you would have to show some stats to convince me that eat-and-run and shoplifting are more prevalent. I'd say with the advent of security tags on merchandice, all the cameras, there HAS to be a lot less, or today's thieves are smarter than your grandpa's thieves.

I don't think you can blame immigration on it, not in the US at least. We have always been a nation of immigrants.

I know that when I was a teenager, kids were as awful as they are today. And you don't hear about lynchings, or hear the word "nigger", at least not from white people. I'm not sure people are more dishonest than then.

I do know that geezers are a hell of a lot nastier than they were back then. Rich peole are nastier too.

Re:Afterword (1)

riceboy50 (631755) | more than 5 years ago | (#25446129)

Shouldn't we be trying to restore those values in our free society then, rather than accepting the logical conclusion of that line of reasoning where everyone is subjugated by a police state?

Re:Afterword (0)

Anonymous Coward | more than 5 years ago | (#25446323)

Take the example of the restaurant. 50 years ago most people would not conceive of going to a restaurant, eating and not paying. The few that tried it were often stopped by other patrons. Today? Better have something stronger in place. The other patrons aren't going to be any help.

Fifty years ago the other patrons might not have been worried about getting sued, arrested and charged themselves with assault, accused of vigilantism or racism (depending on circumstances), or possibly even getting the restaurant in even more trouble.

Turning the criminal into a 'victim' is a very common occurrence these days; witness the number of gangbanging drug pushing 'youths' who become angelic choirboys after getting killed by police or other misunderstood 'youths'.

Re:Afterword (1)

PolygamousRanchKid (1290638) | more than 5 years ago | (#25445931)

Two things:

First, Van Gogh painted Bruce Schneier's portrait [petroz.com] over a hundred years ago.

Funny, I used to watch him on Saturday Night Live back in the 80's: http://en.wikipedia.org/wiki/Dennis_Miller [wikipedia.org]

Well ok, that's not Bruce but it sure looks like him, doesn't it? The linked picture is a Van Gogh self-portrait.

That's because super-secret security experts are masters of disguises. Bruce regularly travels as a comedian as a cover.

And you'll find that all the employees of his company are called "Bruce."

Looks like Kelsey Grammar only with more forehead (2, Funny)

Anonymous Coward | more than 5 years ago | (#25444471)

I didn't think that was possible.

Re:Looks like Kelsey Grammar only with more forehe (1)

Jansingal (1098809) | more than 5 years ago | (#25446139)

why did you reply to such a dtupid posting. guy is an idouit for such a comment.

Security can be bought (5, Funny)

davidwr (791652) | more than 5 years ago | (#25444495)

The price is usually money, time, emotional energy, study, and perhaps reduced functionality.

Then again, that's probably the point of the book.

Re:Security can be bought (4, Insightful)

Znork (31774) | more than 5 years ago | (#25445357)

Whether it can be bought or not is perhaps besides the point.

Because it can certainly be sold.

Re:Security can be bought (1)

_Sprocket_ (42527) | more than 5 years ago | (#25446121)

Security can be bought

The price is usually money, time, emotional energy, study, and perhaps reduced functionality.

Wait a minute. Emotional energy? Reduced functionality? Sounds like someone's buying themselves a whole lot of insecurity.

Security (3, Insightful)

TubeSteak (669689) | more than 5 years ago | (#25444533)

"Buying" security is easy, because throwing money at a problem is always the simplest path.

Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..

Re:Security (4, Informative)

FooGoo (98336) | more than 5 years ago | (#25445063)

It's called transferring risk. The risk still exists but I pay someone else to mitigate it. There are some risks that a company may not be in a position to address themselves. Either due to conditions in the market place, lack of expertise, or excessive regulatory requirements.

Educating users is probabaly the easiest and cheapest way to reduce risk. It doesn't cost a lot of money or take a lot of time. The problem is most companies just don't do it. You might be looking at a cost of $100 per employee per year and 30 minutes to an hour to take a class.

Most companies mention it during orientation but never provide on-going training or support to their employees when it comes to security issues. In this case the infosec team needs to get out of their cubes and walk around and talk to people to be sure they can advise fellow employees on security risks and get the lowdown on which manager proposed something stupid this week. 90% of the security teams job should be education be it educating developers, system admins, general counsel, marketing, exec admins, or the board of directors.

Re:Security (1)

fm6 (162816) | more than 5 years ago | (#25445175)

Educating gatekeepers and end-users is vastly harder and much more expensive, because it not only costs money, it costs time..

Well, time is money, so really it's all about money.

Except it's not. Deploying thousands of security drones and tons of expensive machinery costs a lot more than a few classes. It's not about money. It's about convincing people that you're Doing Something. All that effort against mentally retarded terrorist serves the same purpose as Mayor Quimby's Bear Patrol: it's a conspicuous and easy-to-understand effort that everybody can relate to. Educating airline personnel on good security practices might be more effective, but does little to make people feel safer.

Suppose you could go back in time to 9/12/2001, and persuade SOT Mineta to forget about the security theater and concentrate on the more subtle security enhancements Schneier likes. He would have been fired within days. Everybody would have sneered at the retraining as touchy-feely crap. And frankly, I think most Slashdotters would have joined in.

Re:Security (1)

Znork (31774) | more than 5 years ago | (#25445643)

It's not about money.

Sure it is. For the security salesmen it's about convincing politicians and civil servants that they need to buy expensive security systems. Preferably with lots of blinking lights and even better, As Seen in the Movies, with technology that you can claim is sufficiently 'advanced' to justify the hefty pricetag.

For politicians it's another money/power making issue as they can justify sweeping spending and control with it. They're not overly difficult to talk into buying the pointless junk as it's not their money and they make their other gains by keeping people afraid.

People, to a large extent, don't actually give a crap about 'feeling safe' as far as it relates to abstract dangers like transportation security. Most engage in far riskier activities on an everyday basis; heck, terrorism rates about the same as accidental bathtub drownings as a risk over the last ten years. If it weren't for security salesmen and politicians, people would be a bit scared for a month or two and then get on with their lives. Much like other minor scares that we deal with.

Heck, I'd bet you find more people who've quit traveling due to the painfully retarded security, than you'd find not traveling because they're scared of security threats.

Bruce Almightly (3, Interesting)

FooGoo (98336) | more than 5 years ago | (#25444547)

I can't wait until this guy starts doing late night infomercials. If there is one thing Bruce its really good at...it's marketing. I remember when he gave me an autographed copy of Secrets and Lies for dropping 20 grand with Counterpane....I will cherish it forever

Re:Bruce Almightly (1)

Jansingal (1098809) | more than 5 years ago | (#25445687)

so you are both angry at bruce and jeaolous of his success!

Re:Bruce Almightly (1)

FooGoo (98336) | more than 5 years ago | (#25446395)

Actually, I am not angry. I am happy for him and I think his book Applied Cryptography was excellent and still serves as a great reference text.

What I have a problem with is the security pundits who add no real value to the discussion besides stating the obvious . His success today is more like that of an IT pop star preaching to the choir. Anger and jealousy don't fit into it....I can admire his past achievements and disagree with his current approach at the same time.

Security Isn't Important (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25444641)

I've learned over time working in many companies that security isn't important. What is important is the perception of security to the auditors, the clients, and the management. That's the key.

Re:Security Isn't Important (1)

TripMaster Monkey (862126) | more than 5 years ago | (#25444683)

Sure, that's important....until you actually have a security breach, and all the carefully managed "perceptions" of the auditors, clients, and management come crashing to earth.

Re:Security Isn't Important (4, Insightful)

burris (122191) | more than 5 years ago | (#25445385)

Maybe in the military or in geek super spook krad fantasy land. In the real world of business there is little to no impact to a business as a whole over any security breaches. The public record is replete with examples of businesses who seriously dropped the security ball but the effect was about as dramatic as a bug getting squished on the corporate windshield. Sure there's some goo to wipe off but the car doesn't slow down.

Microsoft, Netscape, credit card processors, insurance companies, civil administrations, many companies have slacked in their security but the worst that happened was a few negative articles in the press that were soon forgotten.

Find just one company that was shut down or went out of business because of a security breach. You just can't do it. Execs rarely even get fired over this stuff.

That's why businesses continue to have poor security. It's just not worth it. You just have to manage it, like everything else.

10 (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25444657)

Come on, I read this and it's not very good. And I'm a professional cryptographer working for a 3 letter agency.

Re:10 (3, Funny)

Penguinoflight (517245) | more than 5 years ago | (#25444831)

If you don't understand that you can post the name of the 3-letter agency while using an anonymous account, you can't be much of a cryptographer.

Not so fast Mr. Funny Guy (1)

xant (99438) | more than 5 years ago | (#25445793)

GP is clearly a troll, but you're wrong about Anonymous. Slashdot logs anonymous posts. If a TLA agency came after them, Mr. AC wouldn't be Anonymous for very long.

Re:10 (0)

zig007 (1097227) | more than 5 years ago | (#25444845)

Come on, I read this and it's not very good. And I'm a professional cryptographer working for a 3 letter agency.

Wow. I am positively blown away by the sheer credibility of your post.

I just have to say it again. Wow.
Anons rule.

Re:10 (0)

Anonymous Coward | more than 5 years ago | (#25444895)

I disagree - I read it and it's the best thing ever written. And I'm CTO for all of the 3 letter agencies.

Question (5, Funny)

Amazing Quantum Man (458715) | more than 5 years ago | (#25444693)

If Chuck Norris [chucknorrisfacts.com] tried to break Bruce Schneier's security [geekz.co.uk] , what would happen?

Re:Question (0)

Anonymous Coward | more than 5 years ago | (#25445541)

The LHC would open an wormhole to God's bewoulf cluster machine room, I guess.

Re:Question (3, Funny)

NoNeeeed (157503) | more than 5 years ago | (#25445593)

You would reach "beard critical mass", at which point the Large Hadron Collider would turn into a very surprised sperm whale and a bowl of petunias.

Why do you think you never see them together?

Re:Question (1)

Hotawa Hawk-eye (976755) | more than 5 years ago | (#25446231)

Why do you think you never see them together?

Maybe Chuck Norris and Bruce Schneier are one and the same person, and anyone who figures that out gets roundhouse kic$(&$*& NO CARRIER

Re:Question (0)

Anonymous Coward | more than 5 years ago | (#25445825)

Probably the same effect that a Lazgun has on a Holtzman field.

Re:Question (1)

spidr_mnky (1236668) | more than 5 years ago | (#25446021)

Just like the answer to the riddle about the unstoppable force and the immovable object, they can't exist in the same universe.

Dealing with symptoms (5, Interesting)

Anonymous Coward | more than 5 years ago | (#25444709)

Everything he talks about is just dealing with the symptoms. Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.

I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.

Terrorism is the result of very desperate people who have lost all hope and feel powerless. The Middle East and its people have been shit on for a couple of millennia; whether by western powers, other in the Middle East (Persians and Turks), Asians. These are people who have felt shit on by the World and there's nothing they can do about it. The creation of Israel was the straw that broke the camels back - so to speak.

To make a long story short, if we gave autonomy to the Middle east (Oil supplies be damned!), meaning pull out completely. I think terrorism would stop or at the very least, decrease dramatically.

I also disagree with folks who think that if we were to leave the Middle East, others would gain control of the Oil thereby sending us into a depression or putting our military and defense in jeopardy. It won't happen.

Re:Dealing with symptoms (1)

Calinous (985536) | more than 5 years ago | (#25445073)

There is plenty of terrorism (or was lately) in Indonesia, Ireland, and ex-Soviet republics (true, close to the Middle East area) without involvement from the well-known (or less well known) Middle East factions. Also, there was terrorism in the U S of A that did not involved any kind of arabic or Middle East factions.
      Agree with the rest of the post

Re:Dealing with symptoms (1)

postbigbang (761081) | more than 5 years ago | (#25445095)

Sure. That'll help.

I suppose we'll have to forget about the domestic terrorism in OK City. Or the terrorism in the Phillipines. Or Columbia. Or Bolivia, or Argentina, and gosh, the rest of S America. Forget about Africa, too. Maybe the Tamils will surrender peacefully. Maybe the Hindus will stop fighting. Will the IRA cease fire-- really? How about the Basque?

In each case, there's a group that fights the rule of law and with unrestricted, murderous violence.

Your argument is about civility underneath. Without civility, we can't be sure that something will blow up. Letting the Middle East stew behind a wall isn't going to solve anything. For some, the mere fact that you exist as an infidel is all that's rationalized to murder you in cold blood.

Will the insane backlash of western fear make it any easier to travel about freely? You've seen the results.

Otherwise, Rothke is the wrong guy to do this sycophantic, uncritical review of Scheier'w work. To Rothke, Shneier's feces have no scent, whether in fact they do or not.

Re:Dealing with symptoms (1)

Medievalist (16032) | more than 5 years ago | (#25445559)

I suppose we'll have to forget about the domestic terrorism in OK City.

but that was Christian terrorism, by a fella that was probably trained in a US Christian terrorist training camp called Elohim City [adl.org] , and therefore DID NOT HAPPEN.

C'mon, get with the program! It's only terrorism if non-christian brownish people do it. Didn't you get the talking points?

Re:Dealing with symptoms (1)

_Sprocket_ (42527) | more than 5 years ago | (#25446265)

It's only terrorism if non-christian brownish people do it. Didn't you get the talking points?

I'm kind of curious as to who you think are putting forward these talking points? It can't be Necons who are pretty quick to mention domestic terrorism when convenient.

Re:Dealing with symptoms (1)

Forbman (794277) | more than 5 years ago | (#25445153)

yes, the random terrorism (e.g., Somali pirates that took over that Ukrainian freighter a couple of weeks ago) is that. But the more organized terror groups are after power.

The thesis is a joke... (0, Troll)

tjstork (137384) | more than 5 years ago | (#25445251)

How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?

Every year the middle east gets ten times more money than Europe got with the Marshall Plan for the whole thing and what do they do with it?

Time for people in the middle east to quit whining and stop pissing their money away.

Re:The thesis is a joke... (0)

Anonymous Coward | more than 5 years ago | (#25445349)

How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?

Every year the middle east gets ten times more money than Europe got with the Marshall Plan for the whole thing and what do they do with it?

Time for people in the middle east to quit whining and stop pissing their money away.

There are foreign troops occupying their land.

Re:The thesis is a joke... (1)

tjstork (137384) | more than 5 years ago | (#25445537)

There are foreign troops occupying their land.

Oh, you mean in Egypt? Saudi Arabia? Iran? Please, show me the foreign troops in Iran...

It's a b.s. excuse from a b.s. people that can't own up to being stupid. No wonder Obama wants to make nice with all of his buddies... liberals are just like radical islamics - no matter how much money you throw at them, they will be whining about how they are victims... when really, they are just lazy.

Re:The thesis is a joke... (1, Informative)

Anonymous Coward | more than 5 years ago | (#25446159)

Iran? Is that the country that the CIA lead an organized coup which toppled the secular democratically elected government in the 70's?

Re:The thesis is a joke... (2, Interesting)

Jherek Carnelian (831679) | more than 5 years ago | (#25445655)

How on earth can the middle east feel powerless when it is sucking a trillion dollars of oil money a year out of the western world?

Because >99% of those trillions go to 1% of the population?

Re:The thesis is a joke... (1)

Stormwatch (703920) | more than 5 years ago | (#25446217)

Reminds me of that joke... on a trip to France, a sultan buys some masterpieces from a fine art gallery, then says: "Alright, got the postcards. Time to go buy the souvenirs!"

Re:Dealing with symptoms (1)

anadem (143644) | more than 5 years ago | (#25445863)

Your assumption that terrorists are people driven by desperation is an outmoded idea that's leading to non-solutions. Research shows that most terrorists are actually motivated by unmet needs for social contact - they just want to acquire social status.

Re:Dealing with symptoms (0)

Anonymous Coward | more than 5 years ago | (#25445965)

There is no terrorism.

There is only murder.

Re:Dealing with symptoms (1)

Jansingal (1098809) | more than 5 years ago | (#25446113)

>>>Terrorism is a symptom of very desperate people who feel that they're being shit on by someone.

which shoes how clueless you are. dumb comment.

My answer to you all. (0)

Anonymous Coward | more than 5 years ago | (#25446157)

There is plenty of terrorism (or was lately) in Indonesia, Ireland, and ex-Soviet republics (true, close to the Middle East area) without involvement from the well-known (or less well known) Middle East factions.

AND...

I suppose we'll have to forget about the domestic terrorism in OK City. Or the terrorism in the Phillipines. Or Columbia. Or Bolivia, or Argentina, and gosh, the rest of S America. Forget about Africa, too. Maybe the Tamils will surrender peacefully. Maybe the Hindus will stop fighting. Will the IRA cease fire-- really? How about the Basque?

They're people that are being shit on by a state much more powerful than they are. They are being controlled by a power that they have no say in.

I should have specified terrorism against the US by folks from the Middle East in my original post.

I can't answer all of your posts because I'm an AC - and I'll stay that way.

yes, the random terrorism (e.g., Somali pirates that took over that Ukrainian freighter a couple of weeks ago) is that. But the more organized terror groups are after power.

Interesting point of view. I'll have to consider that.

Ahem...taken from the last Crypto-Gram: (3, Interesting)

I)_MaLaClYpSe_(I (447961) | more than 5 years ago | (#25446327)

The Seven Habits of Highly Ineffective Terrorists

[...]

Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.

If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.

Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:

Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.

Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.

The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.

For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist.

All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion.

This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups.

We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge.

Re:Dealing with symptoms (0)

Anonymous Coward | more than 5 years ago | (#25446351)

Joe Sixpack has _no clue_ about how American policy in the Middle East is perceived. But every Palestinian or sympathizer is made aware on a daily basis of the impact that America's $1Billion/year aid to Israel and 100% unconditional diplomatic support of Israel has on them.

The fact is you can't have an occupation without creating injustice. And we in the US are held responsible for that by the all Arabs and Muslims.

Here, we just cover it over with "they hate us for our freedom" BS so we don't have to think about whether our policy is having consequences.

And there are few in government who are willing to criticize this policy. But that "Anonymous" guy who was in charge of tracking Bin Laden for the CIA was one of them, because he could see the direct link between our policy and its consequences.

Bin Laden himself might not care a fig for the Palestinians, but he knows that any of the typical incidents of injustice that get so much airplay on Al Jazeera (but never on CNN) are the best recruiting videos he could want.

Re:Dealing with symptoms (1)

mollymoo (202721) | more than 5 years ago | (#25446355)

I've been thinking about terrorism lately and its causes and its implementers. most terrorism is centered on what's happening in the Middle East. Now before someone accuses me of being anti-Islamic or racist or whatever, hear me out.

I don't think you're racist, just not very well informed. If the American press is your source of information that doesn't surprise me. Most terrorism is not centred on the Mid East, it's just that's all the terrorism the USA cares about. The motivations for all the other terrorists around the world are pretty much as you describe though, and the solution (stop fucking with people and they are much less likely to want to kill you) is generally applicable.

Crazy people ARE safe! (2, Informative)

fotakis (1302971) | more than 5 years ago | (#25444717)

"Since 9/11, much has been given up in the name of terrorism, and that has been personal privacy and security. Schenier asks, has it been worth it? " The United States is slowly resembling one of those padded rooms....

Yeah, safe and un-free! (2, Insightful)

k1e0x (1040314) | more than 5 years ago | (#25445779)

"Much of the security carried out in the name of 9/11 has proven to be infective in the seven years since the attack."

That is right and we can know this for certainty because if we believe Bush and his rhetoric that "Hundreds of terrorist plots have been stopped and the terrorists have been arrested" ..then where are the hundreds of trials? If there are no trials, or these plots are military "detainees" (read: "legally not prisoner"). Then why do we need civilian airport checks if civilians are not being arrested?

This HAS to be security theater, it is the only answer. Giving up your rights will not make you secure.. it will just change the threat from one thing to another. In this case you are simply moving the threat of terrorism to the threat of tyrannical state powers. Both are real. The threat of state power is much greater. You see.. our current government is "attempting" to use these powers for good.. they want to protect us.. but that government will not always be the same.. Some day we may see an administration elected that will use these expanded powers for bad things.. it's only a matter of time.

Re:Yeah, safe and un-free! (0)

Anonymous Coward | more than 5 years ago | (#25446145)

Some day?

There's only ONE way to get security: JESUS CHRIST (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25444745)

This is what it would be like, if the majority of people were athiests.
ATHIEST KID: Mom, I'm going to go fuck a hooker.
ATHIEST MOM: Okay, son.
ATHIEST KID: Afterwards, I'm going to go smoke pot with my friends, since it's "not addictive."
ATHIEST MOM: Okay, come home soon!

The athiest kid leaves the room. The father comes home from work several minutes later.

ATHIEST DAD: Hey!
ATHIEST MOM: Hi, honey! I'm pregnant again. I guess I'll just get another abortion, since "fetuses don't count as human life."
ATHIEST DAD: Okay, get as many abortions as you want!
ATHIEST MOM: Oh, and don't go in the bedroom.
ATHIEST DAD: Why not?
ATHIEST MOM: There are two gay men fucking eachother in there.
ATHIEST DAD: Why are they here?
ATHIEST MOM: I wanted to watch them do it for awhile. They just aren't finished yet.
ATHIEST DAD: Okay, that's fine with me!

Suddenly, their neighbor runs into the house.

ATHIEST NEIGHBOR: Come quick, there's a Christian outside!
ATHIEST MOM: We'll be right there!

The athiest couple quickly put on a pair of black robes and hoods. They then exit the house, and run into the street, where a Christian is nailed to a large, wooden X. He is being burned alive. A crowd of athiests stand around him, all wearing black robes and hoods.

RANDOM ATHIEST: Damn you, Christian! We hate you! We claim to be tolerant of all religions. But we really hate your's! That's because we athiests are hypocritical like that! Die, Christian!

THE END

Scary, isn't it?

Re:There's only ONE way to get security: JESUS CHR (0)

mcgrew (92797) | more than 5 years ago | (#25445083)

I'm checking NKB and NSB to answer this troll (biters anonymous here I come). But as a Christian, I take offense at what this idiot is posting.

Mom, I'm going to go fuck a hooker

Assuming the kid is not married, I find nowhere in the bible that the poster has obviously never read that says fucking hookers is a sin. I bet the troll who posted this is a four hundred pound glutton, that IS a sin.

Afterwards, I'm going to go smoke pot with my friends, since it's "not addictive."

Drugs aren't even mentioned in the bible, nor is addiction! The only drug mentioned is alcohol, which is said "give wine to the sad and strong drink to the dying".

Hi, honey! I'm pregnant again. I guess I'll just get another abortion, since "fetuses don't count as human life."

First, abortion is a personal matter between the man, woman, and doctor. Second the bible doesn't say when life begins. I personally would not want my own progeny aborted, but Christ said "why do you try to pluck the speck from your brother's eye when there's a beam [ceiling joist] in your own eye? First remove the beam from your own eye so you can see to remove the speck from your brother's."

There are two gay men fucking eachother in there

That's also 1. none of your fucking business and 2. not even mentioned in the New Testament.

The athiest couple quickly put on a pair of black robes and hoods.

That's some really offensive bullshit. Beg for God's forgiveness, you intolerant asshole. That isn't how any athiest I know is.

I've seen this troll before and the only reason I'm responding is to point out that Christians don't troll although some people who pretend to be Christian do.

Re:There's only ONE way to get security: JESUS CHR (1)

mcgrew (92797) | more than 5 years ago | (#25445241)

Damn it, who modded me up? Somebody please mod that comment down!

Re:There's only ONE way to get security: JESUS CHR (1)

DaveV1.0 (203135) | more than 5 years ago | (#25445475)

Second the bible doesn't say when life begins.

Actually, the bible lists when life begins, but none are consistent with each other. It lists when blood forms, when the mother first feels movement, and others.

What is not listed in the bible is anything about abortion. The closest thing I have seen listed is a miscarriage caused due to injury to a bystander of two men fighting.

Re:There's only ONE way to get security: JESUS CHR (1)

DaveV1.0 (203135) | more than 5 years ago | (#25445595)

The athiest couple quickly put on a pair of black robes and hoods. They then exit the house, and run into the street, where a Christian is nailed to a large, wooden X. He is being burned alive. A crowd of athiests stand around him, all wearing black robes and hoods.

RANDOM ATHIEST: Damn you, Christian! We hate you! We claim to be tolerant of all religions. But we really hate your's! That's because we athiests are hypocritical like that! Die, Christian!

Funny, that sounds like Christianity from about 500CE to 1700CE. You remember such things as witch burnings, the inquisition, forced conversions, the crusades, the murders of "heretics", etc.

The fact is that nothing you posted has anything to do with being atheist, but some of it is a very good reflection of how theists have behaved in the past and continue to behave in the present.

Take yourself for an example. I have no doubt you would murder every single person who would not convert to your particular flavor of religion and believe you are justified in doing so because you did it in the name of your god. And, you would expect to go to heaven because you repented after doing so.

Apply within. (1)

Ostracus (1354233) | more than 5 years ago | (#25444759)

"The reality is that security is not something you can buy; it is something you must get.""

WANTED: One security professional who knows what the hell they're doing. Please apply at the door.

STFU (0)

Anonymous Coward | more than 5 years ago | (#25444767)

Seriously, if we all donated a few cents via PayPal, would this guy just STFU and go away??? He's as bad as Paul Graham.

No bias at all, none what so ever (1, Funny)

Anonymous Coward | more than 5 years ago | (#25444879)

Schneier and I are both employed by the same parent company

[X] Brownnosing in progress

[ ] Fair and balanced book review

I've always wondered how often a single article could contain the words "Bruce Schneier", and you have just met my wildest expectations/p

Who cares? (1)

sjhalasz (1330557) | more than 5 years ago | (#25445057)

It doesn't do much good to point all this out. Security theater serves the interest of people who make the decisions and real, effective security does not. How do you make decision makers care about effective security? I don't know. Decision makers are almost entirely immune from the consequences of their decisions.

Not just about security - about everything (1)

bradgoodman (964302) | more than 5 years ago | (#25445163)

Everything works like this - not just security.

People responsible for things like airport security are ultimately bureaucrats. They are not experts, nor do they have the time or attention to get down to brass-tacks. The only thing they can do is throw money at the problem.

This how everything works from Airport Security, to product development and Q/A, to passing Financial Bailout legislation.

People who are in-charge of things often are 'executives' - meaning that they oversee a "big picture". These are usually people who are not experts in specific areas.

People who are experts in specific areas will rarley have 'executive' position (I use the work "executive" literally - meaning high-level overseers).

Example: a brilliant scientist spends his entire life solving equations, coming up with theories, designing and building rockets. He/she is revered in his/her work and excels, and is well know. Does this person will ultimately become a "lab fellow", or a "tenured professor", etc. etc. etc, they will not generally become the head of NASA. These are different positions, and different skillets. The "big-picture" guys are always the "political" ones. Mitt Romney would become the head of NASA before a scientist like I mentioned. And it that scientist were offered the position - their heads would be too into mathematical formulas and rocket designs to ever shift gears and worry about budgets and crap.

So the system is set up such that those at the help are the executives, not the experts.

Executives don't know any better than to react - It's only the experts that really think proactively - because that's what they do. Furthermore, executives (like in the TSA) aren't really hired to "make us safe" - they're hired to "make us feel safe".

I've been saying this for 20 years: "If we were serious about airport security, we'd do what they do in Israel". Their security is incredible, and obviously not the work of a pencil-pushing bureaucrat. They're security was obviously devised and executed by people who were heavily, heavily invested in and dedicated to it - on both professional and very personal levels. Israeli security would never take the crap that we do and call "security". 9/11 would never have taken place there for more reasons than I could count.

This is why after after Richard Reed tried to ignite an explosive in his left brown leather loafer, the TSA now mandates that everyone remove their left brown leather loafer for inspection.

If the TSA was serious, they'd make Bruce the head.

Re:Not just about security - about everything (1)

tjstork (137384) | more than 5 years ago | (#25445329)

Example: a brilliant scientist spends his entire life solving equations, coming up with theories, designing and building rockets. He/she is revered in his/her work and excels, and is well know...they will not generally become the head of NASA..

You mean like Dr. Werner Von Braun? He may not have been the head of NASA, but he certainly played a leadership role in the early american space efforts.

Executives don't know any better than to react - It's only the experts that really think proactively - because that's what they do. Furthermore, executives (like in the TSA) aren't really hired to "make us safe"

You can't ever be safe, that's the point. We're in an age where the offensive weapon is so far ahead of defenses that really no physical asset can actually be protected from a determined attacker. The best you can do is maybe guarantee that the attacker is killed and hope that it is a sufficient deterrent, but you aren't going to defend every aircraft, car, bridge, or pipe from every possible threat. You really can't.

To some extent, the illusion of security is all we will ever have until technology of defense catches up - either in better materials for passive defenses, better detection of smuggled weapons, and so forth.

Think like a bad person (1)

Rastl (955935) | more than 5 years ago | (#25445341)

I write code to do stuff. That's generic enough for me to continue.

When I write my code, I sit back and try to think of how people are going to try to get around the restrictions, do things they shouldn't do, etc. In other words, I think like a 'bad guy'.

I can't guess everything but if I can weed out the obvious stuff then I'm well on my way to making things that aren't going to have the security value of tissue paper, I hope.

It's kind of the equivalent of installing the best deadbolt made. On a hollow core door. You have to think it through or your dubious 'security measure' isn't all that secure.

Getting security... (1)

Chris Burke (6130) | more than 5 years ago | (#25445359)

"The reality is that security is not something you can buy; it is something you must get."

*sigh* Fine, make me do things the hard way. Who do I get security from, and how much will they charge me?

What do you mean I don't get it? Is my money not good around here?

Re:Getting security... (1)

liquiddark (719647) | more than 5 years ago | (#25446049)

Don't mind the whooshing sound above your head, sir. Now if you'll step inside my tent, I have some oil from a number of famously secure slithering reptiles.

Amen! (1)

certain death (947081) | more than 5 years ago | (#25445457)

Preach on Brother Bruce!! I don't know how many times I have heard a "C" level person say something like..."So, once we buy XYZ product, we will be secure, Right?" It makes me cringe!!

ondigo (3, Informative)

ondigo (1323273) | more than 5 years ago | (#25445605)

"...violates a basic unwritten rule, that the government should be granted only limited powers, and for limited purposes."

Sadly, that's not an unwritten rule. It is, in fact, the 10th amendment. So that just makes it an ignored rule.

Security's something one can get bribes for buying (1)

D4C5CE (578304) | more than 5 years ago | (#25446175)

There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy.

More importantly, it is something that can be made expensive and trumpeted by the salesman's three best friends of Fear, Uncertainty and Doubt - leaving ample room to "reward" some of those who get to decide on spending the money of other people who cannot assess the value and actual benefit of their purchases.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...