Beyond Fear

While Bruce is thoughtful, clear, and provides excellent examples to back up his points, this book really could have used better editing. To me, it feels like a three chapters were spun out into an entire book by repeating the same points and same examples over and over again.

I still think this book is worth buying. The first 3-4 chapters alone are worthwhile. Spending some time thinking about the security the way Bruce thinks about it -- always from a cost/benefit standpoint -- is worthwhile. But, as I was, you might get a little frustrated by the poor editing.

Rating:
Summary: Essential guide to security for all of us.
Review: Bruce Schneier's latest book is a departure from his previous work, leaving the technical realm largely behind as it looks at the concept of security in the whole. He brings a clear and witty expertise to the subject, balancing the real concerns with concepts that enable us to evaluate and act on our individual security situation.

Security is a timely but complex issue, and Bruce has always been great at taking complex issues and breaking them down for the reader so that all the concepts seem clear and understandable, while at the same time building concept on concept until you have a clear and deep understanding of a various difficult situation. He provides a five step process that allows you to evaluate your risk and security solutions, identifying those which are ineffective and increasing security in each individual's life.

Bruce uses a variety of interesting examples, which all by themselves are worth the read. He writes witty, engaging prose throughout. The book is, simply, a great read.

This is an important book. It covers one of the most critical concerns of our time in a clear and accessible way, while at the same time discussing and clarifying the complexity and nuances of the subject. It provides the reader with a really good read, and with tools to use to make them truly more secure and to understand and evaluate what our governments are doing on our behalf in the security arena.

Rating:
Summary: Pragmatic advice
Review: Bruce's greatest strength is in the role of Evangelist -- he translates the complex aspects of security into a vocabulary suitable for common consumption. If you're a sociologist, a risk management officer, or a cultural psychologist, you'll be familiar with a lot of the upstream references from which Bruce draws his examples. Conversely, if you're working in an office where "solving that security problem" is one of your many tasks, you won't have the time or inclination to dig out the esoteric sources. Consider this book as an alternative, far less onerous choice.

The book is easy reading -- it flows quickly and keeps returning to a common set of themes. These are set against many contexts so you're sure to find something familiar. You won't find any math or greek notation in here, to the disappointment of "Applied Cryptography" die-hards but the relief of everyone else.

The underlying message, seeing beyond the Fear, Uncertainty, and Doubt (FUD) propagated by mass media and the government, is a key one to understanding why it's OK to question this hyper-security-conscious world we find ourselves in. Airline security is an arena familiar to most business travelers, and we as passengers are expected not only to accept increasingly invasive measures, but welcome them without hesitation. Bruce teaches us how to evaluate the efficacy of these schemes both individually and in the aggregate. The results will surprise all but the most cynical among you.

That said, this is not the textbook of a conspiracy theorist. Bruce willingly admits that improving security correctly is a worthwhile pursuit, and even teaches us how to do it. You won't find the rantings of an ill-informed libertarian crackpot.

If your interests lead you to ask questions and be curious about the changes to your world in recent years, you will find this an entertaining and informative volume. Democrat or Republican, luddite or technology businessperson, it's worth a look at your earliest opportunity.

Rating:
Summary: Sensibly - is right
Review: Executive summary: Timely and well written. Buy it.

Bruce has a great ability to "keep it real" - which is why his books are so readable and down to earth. With a background in cryptography, Bruce has broadened his scope to become one of the broadest-thinkers in security today - no mean feat by any measure.

One of the reasons I tell my corporate consulting clients to "Read Bruce's books" is because he's able to put things into the overall context in a way that is uplifting rather than depressing or overwhelming. For example, I consider "Secrets and Lies" (and now "Beyond Fear") to be essential bookshelf material for anyone who has to deal with security. When people are starting in security and ask me where to begin, it's with these books. Absorbing them, and the concepts behind them, is a good way of avoiding the pitfalls in this complex field.

For the non-security-professional, this book is also a terrific read. Read it more like it's a spy novel, sit back, and enjoy it. Movie script-writers? If you're going to write a script that touches on computer security: read this book.

mjr.

Rating:
Summary: Comment to Richard Bejtlich
Review: Hello Richard,
in your review you wrote:
"A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset"
"All of these terms were defined years ago by military intel and law enforcement types" and
" It's the digital security community that's obscuring the definitions"
I disagree. Information security just has slightly different jargon. That's not an uncommon source of confusion in different, but related, professional fields, and there's a particular reason why we're really not interested in the military definition of "threat".

In the information security field, "risk" and "vulnerability" have roughly the same meanings that you use. However, "threat" means something more like "a method of exploiting a vulnerability or combination of vulnerabilities to cause a loss", while what you call a "threat" is an abstraction called an opponent or adversary. When we talk about "threat analysis", we mean examining ways vulnerabilities can be combined and exploited and what kinds of losses they can cause; these analyses may then be used as inputs to a risk analysis model. In the lunch room example you cited, the threat is "casually saunter up to the fridge, glance around, take a lunch, scurry away", and would be characterised as "low cost, low skill, low risk of discovery". The threat is indeed the same whether or not there is an opponent to exploit it. Opponents, in turn, are fairly abstractly characterised, something like:
C "local hobo who notices the smokers propping open the lunch room door"
B "hungry intern on low wage"
A "corporate saboteur spiking the CFO's salad at the AGM"

What your intel and law enforcement types call a "threat analysis" simply isn't terribly relevant in the IT security field; we are mostly civilian corporate employees, with neither the right nor capability to compile dossiers on *specific* "opponents". We do compile information about what kind of attacks have actually been occuring; we call that the "CERT Summary"!

It is true, as Schneier says, that "threat analysis" and "risk analysis" are often confused in IT security - due in large part to the non-IT security world merging both concepts into their risk analyses. But in our field it is much better to keep them separate. A threat analysis is a more abstract (and hence generally applicable) study, while a risk analysis depends on a particular business model. For example, if we store Almas caviar in the fridge instead of salami, the threat analysis is the same, but the risk analysis will be considerably different; all the wierdo threats that were low risk before (e.g. masked men with shotguns storming the fridge) become realistic. This separation is useful when identical reusable software components may be employed by thousands of very different businesses.

So, I while I found your comments very interesting, I think the semantic difference is just a difference, not an error.

Rating:
Summary: Security or Liberty? Both!
Review: I first read about Bruce Schneier in an eye-opening article by Charles Mann in the September, 2002 issue of The Atlantic Monthly. It seems that you don't have to make the false choice everyone is agonizing over between security and liberty. You can have both.

Schneier's book expands on the ideas in the article. Although Schneier is a technology fan and it is his livelihood, he realizes that sometimes a live security guard can provide better security than cutting-edge (but still fallible) face-recognition scanners, for instance. He explains why national ID cards are not a good idea, and how iris-scanners can be fooled.

These are ideas for security on a large scale, for airports, nuclear and other power plants, and government websites. For security on an individual or small business scale, try Art of the Steal by Frank Abagnale. But even if you don't run a government, Beyond Fear is a fascinating read about how your government is making choices (and how they SHOULD be making choices about your security and about your rights.

Rating:
Summary: The Title is The Theme
Review: I have read a number of the Pro and Con reviews. I think it is important to take a good look at the title of the book, and use that as a guide to a buying decision. This book is not an in-depth cookbook of technical approaches to combat hackers, but rather a sensible way of looking at the issues that contribute to an aura of security, the appearance of security, and actually being secure. I really liked the whole premise, because we are such an image conscience, and sound-bite oriented society that it can become quite difficult to deliver a thought-provoking treatise on a topic that many think they know so much about.

My only negative comment would be that it got a little slow at the end, for me. Maybe I was just tired that night or something.

He cites a few excellent examples of places or instances where someone did something that they honestly felt would contribute to increased security, when the actual effect turned out to be the opposite. If I may draw a crude comparison: if you appreciated some of the observations, and perhaps even the writing style and presentation in Hammer and Champy's "Reengineering the Corporation", then you will like and appreciate this volume. The way Mr. Schneier presents information, and the way he introduces you to perceived vs. actual may strike you as being similar. (No offense meant to either author - I enjoyed both)

Happy trails.

Rating:
Summary: The Title is The Theme
Review: I have read a number of the Pro and Con reviews. I think it is important to take a good look at the title of the book, and use that as a guide to a buying decision. This book is not an in-depth cookbook of technical approaches to combat hackers, but rather a sensible way of looking at the issues that contribute to an aura of security, the appearance of security, and actually being secure. I really liked the whole premise, because we are such an image conscience, and sound-bite oriented society that it can become quite difficult to deliver a thought-provoking treatise on a topic that many think they know so much about.

My only negative comment would be that it got a little slow at the end, for me. Maybe I was just tired that night or something.

He cites a few excellent examples of places or instances where someone did something that they honestly felt would contribute to increased security, when the actual effect turned out to be the opposite. If I may draw a crude comparison: if you appreciated some of the observations, and perhaps even the writing style and presentation in Hammer and Champy's "Reengineering the Corporation", then you will like and appreciate this volume. The way Mr. Schneier presents information, and the way he introduces you to perceived vs. actual may strike you as being similar. (No offense meant to either author - I enjoyed both)

Happy trails.

Rating:
Summary: I WANT MY MONEY BACK
Review: I thought this book would tell me something I didn't know. It didn't. I thought it would be interesting enough to keep me awake and wanting to read it. It wasn't. I thought Bruce Schnier was a big thinker and agressive. He isn't; he's overly cautious and careful with his words out of his own "fear" of insulting somebody. I thought he would take a stand on the issues. He didn't. I thought he understood security in the post-9/11 world. He doesn't. In fact, this book was written like 9/11 never happened and as if our terrorist enemies are mindless idiots.

If you want a good overview of the strategic issues facing cyber security and homeland security, read Dan Verton's Black Ice. That offers a far better understanding and overview of what's going right and what's going wrong in homeland security and cyber security, because Verton isn't afraid. Scnhier hasn't found a way to go beyond his own fear.

Rating:
Summary: Realistic and practical
Review: In a world where we are constantly bombarded with information about how to be safer, what things are dangerous, what to do in case of X, it is pleasant and surprising to see a book that tells you how to make decisions like these yourself.

Pleasantly apolitical, Schneier presents a concrete way to evaluate various decisions about security. Should you install an alarm system in your home? Should airline pilots be armed? While different in scope, the process of answering these questions is the same and presented in easy-to-understand language. This is not a book for "security experts" it is a book for all of us.

When you are finished reading the book, you are armed with the tools to make decisions about your own security and to evaluate the ideas presented by policy-makers. More importantly, you have the tools to rationally describe why potential policies would make things less secure rather than more secure.

This book is a valuable, perhaps necessary, resource for everyone. If you've ever worried about a particular threat and wondered what you could do, read this book.