Schneier on Security

by Bruce Schneier

Presenting invaluable advice from the world?s most famous computer security expert, this intensely readable collection features some of the most insightful and informative coverage of the strengths and weaknesses of computer security and the price people pay -- figuratively and literally -- when security fails. Discussing the issues surrounding things such as airplanes, passports, voting machines, ID cards, cameras, passwords, Internet banking, sporting events, computers, and castles, this book is a must-read for anyone who values security at any level -- business, technical, or personal.

Genres: Nonfiction, Technology, Audiobook, Science, Politics, Hackers, Computers

495 pages, Kindle Edition

First published September 29, 2008

About the author

Bruce Schneier is a renowned security technologist, called a “security guru” by the Economist. He has written more than one dozen books, including the New York Times bestseller Data and Goliath (2014) and Click Here to Kill Everybody (2018). He teaches at the Harvard Kennedy School and lives in Cambridge, Massachusetts.

Reviews

[Daniel · Rating 2 out of 5]

While the book was nice for a while, just dragging together existing blog articles doesn’t lead to an good book. Massive redundancies.

[Chad · Rating 3 out of 5]

A quotable book about the principles of security and privacy, and having a security mindset. I had high expectations based on Schneier's reputation and the praise I've heard for this book over the years, but I was underwhelmed. It's a collection of Schneier's articles spanning several years. Although many of the concepts still apply, some of the specific advice is dated. Much of the book is about security in general, not focused on information security. There's a lot about national security, terrorism, elections, etc.

I read this to learn more about Internet security and privacy.

Notes
Introduction

Security is often about technology, but it's always about people. People are the reason security exists in the first place, and people are at the core of any security breach. Technology helps—both the attacker and defender, actually, although in different ways—but security is fundamentally about people.

4 principles of security
1. "Security is a trade‐off. There's no such thing as absolute security." To get security, we must give up money, time, convenience, capabilities, liberties, etc.
2. "You are a security consumer." Rather than asking "Is this security measure effective?" ask, "Is this a good trade‐off?" Trade-offs are subjective, not objective.
3. "Security is a system." Analyze security in the context of the entire system, not the individual components.
4. "Technology causes security imbalances." Technology changes trade‐offs, by making things cost less or more, take more or less time, etc. These changes can benefit attack or defense.

Terrorism and Security
Our national infrastructure has many vulnerabilities, but its systems are designed to limit the damage from errors and accidents, so the vulnerabilities rarely cause catastrophic disruptions.

The risks of cyberterrorism are overrated, but the risks of cybercrime (fraud, espionage, etc.) are underrated. Fortunately, the same countermeasures against cyberterrorists work against hackers and cybercriminals.

Privacy and Surveillance
Responses to “If you aren't doing anything wrong, what do you have to hide?”
“If I'm not doing anything wrong, then you have no cause to watch me.”
“Because the government gets to define what's wrong, and they keep changing the definition.”
“Because you might do something wrong with my information.”

"My problem with quips like these—as right as they are—is that they accept the premise that privacy is about hiding a wrong. It's not."

Privacy is important because without it, surveillance information will be abused (to spy, to sell data to marketers, to spy on political enemies, etc.)

"Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance."

"Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide."

"Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. … Security affects privacy only when it's based on identity, and there are limitations to that sort of approach."

"The debate isn't security versus privacy. It's liberty versus control."

There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: 'Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.' It's also true that those who would give up privacy for security are likely to end up with neither.

"As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers."

"1984's Big Brother was run by the state; today's Big Brother is market driven."

Security is a trade‐off. It makes no sense to ask whether a particular security system is effective or not—otherwise you'd all be wearing bulletproof vests and staying immured in your home. The proper question to ask is whether the trade‐off is worth it. Is the level of security gained worth the costs, whether in money, in liberties, in privacy, or in convenience?

"Pervasive security cameras don't substantially reduce crime," shown by data from several studies in the US and UK. "Cameras actually solve very few crimes, and their deterrent effect is minimal."

"The problem isn't anonymity; it's accountability. If someone isn't accountable, then knowing his name doesn't help."

"Historically, accountability has been tied to identity, but there's no reason why it has to be so."

"Whenever you put data on a computer, you lose some control over it. And when you put it on the Internet, you lose a lot of control over it."

"If you type it and send it, prepare to explain it in public later."

About half of Americans are likely identifiable by gender, date of birth, and city of residence.

Election Security
Regarding elections, "In today's world of computer crashes, worms, and hackers, a low‐tech solution is the most secure."

The companies that produce electronic voting machines have had poor security practices.

Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never‐ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses.

The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by mail or by Internet, removes that security.

Schneier's recommendation is to require electronic voting machines to generate a voter‐verifiable paper audit trail (aka voter‐verified paper ballot).

Security and Disasters
When you design for safety, you defend against accidents (random faults). When you design for security, you defend against random and nonrandom (deliberate) events. E.g., designing for safety must defend against knives accidentally left in luggage, whereas designing for safety must defend against knives made of materials hard to detect with X-ray machines, or deliberately positioned in luggage to be hard to detect with X-ray machines.

Economics of Security
"… many of the most basic security questions are at least as much economic as technical."

Psychology of Security
"… people make most trade‐offs based on the feeling of security and not the reality."

"Security theater is no substitute for security reality, but, used correctly, security theater can be a way of raising our feeling of security so that it more closely matches the reality of security."

Computer and Information Security
Safe Personal Computing
• General: Turn off the computer when you're not using it.
• Laptop & mobile device security: When you're not home, keep your laptop or mobile device with you at all times. Regularly delete unneeded data.
• Backups: Back up regularly. Store at least one set of backups off‐site and at least one set on‐site.
• Operating systems: If possible, don't use Microsoft Windows. Use a Mac or Linux.
• Applications: Limit the number of applications on your devices. If you don't need it, don't install it. If you no longer need it, uninstall it. Keep applications updated.
• Browsing: Don't assume a website is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near‐miss.
• Websites: A TLS/SSL certificate doesn't prove that the vendor is trustworthy, or keeps customer information secure. Think before you do business with a website. Limit the financial and personal data you send to websites. Withhold info, or give false info. Opt out of marketing. If you have the option, opt out of websites storing your info. Use credit cards rather than debit cards for ecommerce.
• Passwords: Create and store long, random passwords. Never reuse a password for something you care about. Never type a password you care about into an insecure (HTTP rather than HTTPS) page.
• Email: Don't assume that the “From” address is true. Delete spam without opening it. Delete messages with attachments without opening them, unless you know what they contain. Delete forwarded joke emails without opening them. Never click links in email unless you trust the email; copy and paste the link into your browser instead.
• Anti-malware (antivirus) software: Use it.
• Firewall: Enable your operating system's firewall.
• Encryption: Use full-disk encryption.

When going to another country, take a laptop that's been wiped clean. Once in the foreign country, download data you need over a VPN. Use a VPN to send data back home. Wipe the laptop before going home. If this isn't possible, consider putting sensitive data on a USB drive or memory card.

To make a strong password, don't use any dictionary words. Mix upper- and lowercase letters, numbers, and symbols into the middle of your password.

Security engineers see the world differently than other engineers. Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent—or protect against—those failures. Most software vulnerabilities don't ever appear in normal operations, only when an attacker deliberately exploits them. So security engineers need to think like attackers.

"People without the mindset sometimes think they can design security products, but they can't."

[Teo · Rating 4 out of 5]

2016.11.25–2016.12.05

Contents

Schneier B (2008) (11:19) Schneier on Security

Introduction

01. Terrorism and Security
• What the Terrorists Want (Originally published in Wired, 24 August 2006)
• Movie-Plot Threats (Originally published in Wired, 8 September 2005)
• Fixing Intelligence Failures (Originally published in Crypto-Gram, 15 June 2002) 
• Data Mining for Terrorists (Originally published in Wired, 9 March 2006)
– The Architecture of Security (Originally published in Wired, 19 October 2006)
• The War on the Unexpected (Originally published in Wired, 1 November 2007)
• Portrait of the Modern Terrorist as an Idiot (Originally published in Wired, 14 June 2007)
– Correspondent Inference Theory and Terrorism (Originally published in Wired, 12 July 2007)
– The Risks of Cyberterrorism (Originally published in Crypto-Gram, 15 June 2003) 


02. National Security Policy
• The Security Threat of Unchecked Presidential Power (Originally published in Minneapolis Star Tribune, 21 December 2005) 
• Surveillance and Oversight (Originally published in Minneapolis Star Tribune, November 2005) 
• NSA and Bush’s Illegal Eavesdropping (Originally published in Salon, 20 December 2005) (Note: I wrote this essay in the days after the scandal broke.) 
• Private Police Forces (Originally published in Minneapolis Star Tribune, 27 February 2007) 
• Recognizing “Hinky” vs. Citizen Informants (Originally published in Crypto-Gram, 15 May 2007) 
• Dual-Use Technologies and the Equities Issue (Originally published in Wired, 1 May 2008) 
• Identity-Theft Disclosure Laws (Originally published in Wired, 20 April 2006) 
• Academic Freedom and Security (Originally published in San Jose Mercury News, 20 September 2004) 
• Sensitive Security Information (SSI) (Originally published in Crypto-Gram, 15 March 2005) 
• Fingerprinting Foreigners (Originally published in Newsday, 14 January 2004) 
• U.S. Medical Privacy Law Gutted (Originally published in Crypto-Gram, 15 June 2005) 


03. Airline Travel
• Airport Passenger Screening (Originally published in Wired, 23 March 2006) 
• No-Fly List (Originally published in Newsday, 25 August 2004)
• Trusted Traveler Program (Originally published in The Boston Globe, 24 August 2004) 
• Screening People with Clearances (Originally published in Wired, 5 October 2006) 
• Forge Your Own Boarding Pass (Originally published in Wired, 2 November 2006) 


04. Privacy and Surveillance
• Our Data, Ourselves (Originally published in Wired, 15 May 2008) 
• The Value of Privacy (Originally published in Wired, 18 May 2006) 
• The Future of Privacy (Originally published in Minneapolis Star Tribune, 5 March 2006) 
• Privacy and Power (Originally published in Wired, 6 March 2008) 
• Security vs. Privacy (Originally published in Wired, 24 January 2008) 
• Is Big Brother a Big Deal? (Originally published in Information Security, May 2007) 
• How to Fight (Originally published in Crypto-Gram, 15 July 2003) 
• Toward Universal Surveillance (Originally published in CNet, 30 January 2004) 
• Kafka and the Digital Person (Originally published in Crypto-Gram, 15 December 2004) 
• Anonymity and Accountability (Originally published in Wired, 12 January 2006) 
• Facebook and Data Control (Originally published in Wired, 21 September 2006) 
• The Death of Ephemeral Conversation (Originally published in Forbes, 18 October 2006) 
– Automated Targeting System (Originally published in Forbes, 8 January 2007) 
• Anonymity and the Netflix Dataset (Originally published in Wired, 13 December 2007) 
• Does Secrecy Help Protect Personal Information? (Originally published in Information Security, January 2007) 
• Risks of Data Reuse (Originally published in Wired, 28 June 2007) 

05. ID Cards and Security
• National ID Cards (Originally published in Minneapolis Star Tribune, 1 April 2004) 
• REAL-ID: Costs and Benefits (Originally published in The Bulletin of Atomic Scientists, March/April 2007) 
• RFID Passports (Originally published in The International Herald Tribune, 4 October 2004, with a longer version published in Crypto-Gram, 15 October 2004) 
• The Security of RFID Passports (Originally published in Wired, 3 November 2005) 
• Multi-Use ID Cards (Originally published in Wired, 9 February 2006) 
• Giving Driver’s Licenses to Illegal Immigrants (Originally published in Detroit Free Press, 7 February 2008) 


06. Election Security
• Voting Technology and Security (Originally published in Forbes.com, 13 November 2006) 
• Computerized and Electronic Voting (Originally published in Crypto-Gram, 15 December 2003) 
• Why Election Technology is Hard (Originally published in San Francisco Chronicle, 31 October 2004) 
• Electronic Voting Machines (Originally published in openDemocracy.com, 9 November 2004) 
• Revoting (Originally published in Wired, 16 November 2006) 
• Hacking the Papal Election (Originally published in Crypto-Gram, 15 April 2005) 


07. Security and Disasters
• First Responders (Originally published in Wired, 23 August 2007) 
• Accidents and Security Incidents (Originally published in Crypto-Gram, 15 September 2003)
• Security at the Olympics (Originally published in Sydney Morning Herald, 26 August 2004) 
• Blaster and the August 14th Blackout (Originally published in News.com, 9 December 2003) 
• Avian Flu and Disaster Planning (Originally published in Wired, 26 July 2007) 


08. Economics of Security
• Economics and Information Security (Originally published in Wired, 29 June 2006) 
• Aligning Interest with Capability (Originally published in Wired, 1 June 2006) 
• National Security Consumers (Originally published in News.com, 4 May 2004) 
• Liability and Security (Originally published in IEEE Computer, April 2004) 
• Liabilities and Software Vulnerabilities (Originally published in Wired, 20 October 2005) 
• Lock-In (Originally published in Wired, 7 February 2008) 
– Third Parties Controlling Information (Originally published in Wired, 21 February 2008) 
– Who Owns Your Computer? (Originally published in Wired, 4 May 2006) 
– A Security Market for Lemons (Originally published in Wired, 19 April 2007) 
• Websites, Passwords, and Consumers (Originally published in IEEE Security and Privacy, July/August 2004) 


09. Psychology of Security
• The Feeling and Reality of Security (Originally published in Wired, 3 April 2008) 
• Behavioral Assessment Profiling (Originally published in The Boston Globe, 24 November 2004) 
• In Praise of Security Theater (Originally published in Wired, 25 January 2007) 
• CYA Security (Originally published in Wired, 22 February 2007) 
• Copycats (Originally published in Wired, 8 March 2007) 
• Rare Risk and Overreactions (Originally published in Wired, 17 May 2007) 
• Tactics, Targets, and Objectives (Originally published in Wired, 31 May 2007) 
• The Security Mindset (Originally published in Wired, 20 March 2008)  


10. Business of Security
• My Open Wireless Network (Originally published in Wired, 10 January 2008) 
• Debating Full Disclosure (Originally published in CSO Online, January 2007) 
• Doping in Professional Sports (Originally published in Wired, 10 August 2006) 
• University Networks and Data Security (Originally published in IEEE Security and Privacy, September/October 2006) 
• Do We Really Need a Security Industry? (Originally published in Wired, 3 May 2007) 
• Basketball Referees and Single Points of Failure (Originally published in Wired, 6 September 2007) 
• Chemical Plant Security and Externalities (Originally published in Wired, 18 October 2007) 


11. Cybercrime and Cyberwar
• Mitigating Identity Theft (Originally published in CNet, 14 April 2005) 
• LifeLock and Identity Theft (Originally published in Wired, 12 June 2008) 
• Phishing (Originally published in Wired, 6 October 2005) 
• Bot Networks (Originally published in Wired, 27 July 2006) 
• Cyber-Attack (Originally published in Wired, 5 April 2007) 
• Counterattack (Originally published in Crypto-Gram, 15 December 2002) 
• Cyberwar (Originally published in Crypto-Gram, 15 January 2005) 
• • The Waging of Cyberwar 
• • Properties of Cyberwar 
• Militaries and Cyberwar (Originally published in Crypto-Gram, 15 January 2003) 
• The Truth About Chinese Hackers (Originally published in Discovery Technology, 19 June 2008) 


12. Computer and Information Security
• Safe Personal Computing (Originally published in CNet, 9 December 2004) 
• How to Secure Your Computer, Disks, and Portable Drives (Originally published in Wired, 29 November 2007) 
• Crossing Borders with Laptops and PDAs (Originally published in The Guardian, 15 May 2008) 
• Choosing Secure Passwords (Originally published in Wired, 11 January 2007) 
• Authentication and Expiration (Originally published in IEEE Security & Privacy, January/February 2005) 
• The Failure of Two-Factor Authentication (Originally published in Communications of the ACM, April 2005) 
• More on Two-Factor Authentication (Originally published in Network World, 4 April 2005) 
• Home Users: A Public Health Problem? (Originally published in Information Security, September 2007) 
• Security Products: Suites vs. Best-of-Breed (Originally published in Information Security, March 2008) 
• Separating Data Ownership and Device Ownership (Originally published in Wired, 30 November 2006) 
• Assurance (Originally published in Wired, 9 August 2007) 
• Combating Spam (Originally published in Crypto-Gram, 15 May 2005) 
• Sony’s DRM Rootkit: The Real Story (Originally published in Wired, 17 November 2005) 
• The Storm Worm (Originally published in Wired, 20 September 2007) 
• The Ethics of Vulnerability Research (Originally published in InfoSecurity Magazine, May 2008) 
• Is Penetration Testing Worth It? (Originally published in Information Security, March 2007) 
• Anonymity and the Tor Network (Originally published in Wired, 4 October 2007) 
• Kill Switches and Remote Control (Originally published in Wired, 26 June 2008) 

A. References

Index

[Kevin O'Brien · Rating 4 out of 5]

Bruce Schneier is one the experts on computer security, and I have followed him with pleasure and learned a lot. He has a very practical approach to understanding what works and what does not work in this area, and this book is a collection of his short writings from a variety of places: His blog (Cryptogram), Wired, CNet, IEEE Security & Privacy, Communications of the ACM, etc. These are brief and to the point, most of the articles being a couple of pages long. Most of the articles were written in the early 2000s, but I don't think they are out-of-date at all because they are about how to think about security, not about the technical issues. He also provides a lengthy References section in the back in case you want to go deeper into any of the events he discusses.

Because these are bite-sized articles, this would actually be the perfect "Bathroom Reader" for the security geek in your life.

[Ulises · Rating 4 out of 5]

A collection of articles he has published over the years on cyber security. Some articles are dated, but the underlying common sense he conveys on each essay is still relevant today.

[Carl · Rating 2 out of 5]

Perhaps, he should have had someone else do his audiobook because his monotony delivery made for a flat presentation. As for the content, it was relevant, except for the part speaking about PDAs.

[Daniel Bernardes · Rating 2 out of 5]

Bruce Schneier is a well-known and colorful figure in the security industry and distinguishes himself for his broad interests related to security and for being a good story teller. These traits can be found in his book, which is a collection of essays on various security topics.

The book is particularly suited for layman audience but can be a little bit repetitive. Admittedly, the points stressed over and over are important and worth remembering, particularly the notions that security decisions always involve trade-offs, that security systems design often entail unintended consequences and the potential "externalities" of the current digital presence.

Similar notions can typically be found the field of economics, which makes the parallel between the two areas interesting. Schneier mentions the link between security and economics loosely in several occasions and draws public policy implications which are often unconvincing. It is possible that the advocated policy ideas are the result of an in-depth economic analysis, which did not make it to the book, but I am skeptical. In particular, many policies seem to ignore Public Choice Theory analysis. To be fair, one cannot blame him for not being a trained economist, but precisely because of that it might have been better to focus less on pushing policy and instead make the parallel between economics and security more concrete.

On a positive note, it was interesting to read his essays about the NSA data collection, published in a time where they were mostly speculative and contrast it the recent revelations on the various NSA programs: they confirm to large extant the author's insights about surveillance programs.

In a nutshell, the book is interesting but also a bit superficial in its analysis.

[Jason · Rating 3 out of 5]

This is a collection of Bruce Schneier writings, from his blog, various websites, etc. It's organized by topic, rather than date or original source, so you get sections on security, privacy, etc.

Each individual article is filled with Schneier's usual brilliance. It's obvious they weren't meant to be all put together, though. Each article is a standalone piece. There's no flow between them, he often hits the same idea repeatedly in different ways, etc. I don't fault any of the individual articles, but sitting down and reading it sequentially doesn't work well.

If you're not familiar with Bruce Schneier, I'd recommend starting with his other books, like Beyond Fear, rather than this. If you're looking for a collection of his material, this works, even though it doesn't make a very good read as a whole.

[Darrenglass · Rating 2 out of 5]

Bruce Schneier is a very smart man, who thinks about things in interesting ways. As a quote on the front of this book says, he is "the closest thing the security industry has to a rock star" which is certainly true (even if that still puts him pretty far from a rock star). That said, this collection of essays didnt really work for me. It is basically a compilation of 1-2 page blog posts and essays he wrote for his newsletter and for Wired magazine, and this leads to absolutely no cohesion and lots of redundancy. It also exposes the crankier side of Schneier, which is more likely to criticize existing security measures than to say anything productive about what should be done to improve airport/internet/other security. If you have never read his writings before, check out his blog as he has good things to say. But this book is not the best way of experiencing him.

[Paul Childs · Rating 4 out of 5]

Schneier has a great view on things when it comes to security and this book reflects that. He has chapters that discuss all the important topics of the day from air line safety, to the Internet, and Homeland Security. The topics tend to be more about the general ideas and themes of security rather than the nuts and bolts of how to be more secure.

He correctly points out that we often do what makes us think we are more secure, even when it doesn't really make it so. Our government would be better off if the people in the Congress had to read his book before passing anymore laws that cost too much for to little (or no) benefit.

If there is a downside to this book, it is that it is a compilation of his essays from various magazines and blogs. If you already read his blog, chances are that you already know what a lot of this book says.

[AJ Armstrong · Rating 4 out of 5]

I am an enormous fan of Bruce Schneier, and his expertise and the depth of his thinking on issues of security (ranging from cyber- to physical) are clear in these essays. My only critique, and the reason it is not 5 stars, is that due to the fact that this is a collection of stand-alone essays, it often seems repetitive with the same points and illustrations---originally made months apart for different publications---appearing a scant few pages apart. It is far better read in bits and pieces than in a lengthy sitting to avoid the appearance of pedantry.

[David · Rating 5 out of 5]

So many people claim to be experts in our field and spout the same old rhetoric. Bruce truly has a grasp of the principles that make our field interesting to me. I do not agree with everything he says, but even when I disagree, I find his arguments compelling and challenging.

This series of articles is well worth the read for people in and out of the security field. Bruce addresses many topics from the predicted technical security, to identity theft and on to terrorism.

Pick it up and enjoy... or at least be challenged.

[Rick Mavrick · Rating 4 out of 5]

A roughly collated collection of mini-essays focusing on the economics, politics or pop. psychology of security issues. The scatter-shot selection of the essays enjoyably and pragmatically covers a broad collection of topics if only to say (from 2009) "See I told you that was crap, in Wired, in 2002". The grumpiness is mostly endearing and "the way things should be" is jingoistically American but perhaps not insidiously so.

[Benjamin · Rating 4 out of 5]

As always, Schneier presents a variety of security problems and solutions of varying levels of complexity, examines and scrutinizes others' security proposals in a straight-forward manner, and explains the logic he used to reach his conclusions, and does all of this very well. Though all of it is interesting, his ideas on systems of economic incentives and disincentives, voting security, and security and politics are of particular noteworthiness.

[Lukas · Rating 3 out of 5]

It's a wake up call in some ways and I like the way he pounds his points home. Certainly got me thinking a lot more about ubiquitous security. However as a book - this is more a collection of all his published articles so they are repetitive as his points evolve. I wish it was written more like a book.

[Jonathan · Rating 3 out of 5]

A nice collection of short essays grouped together by topic that provides a better view of each topic as a whole. Slightly disjointed simply because it is a collection of making it difficult to build a larger overall case without any framing of the essays as examples. A good read but not outstanding.

[waitsforsleep · Rating 4 out of 5]

Required reading for anybody who builds software systems for a living or fun. Schneier's style of stating his case is simple and clear enough that you might end up learning something even if you are not a "technical" person and just have a passing interest on how we make security trade-offs in our day to day lives

[Arjen · Rating 4 out of 5]

Collection of essays Schneier published over the last decade or so. Schneier is always pointing you at the 'security mindset', think out of the box.

I especially enjoyed the chapter about why he leaves his private wifi network open and the chapters about the psychology of security.

[Joy · Rating 3 out of 5]

I had read the majority of these essays in their original venues or online, as it turns out. Schneier is one of the most cogent people writing on matters of security; what hurt the most re-reading these pieces from 2006-2008 is what hasn't changed.

[Salem · Rating 4 out of 5]

I'd read a number of selections in other places, but having it all in one place makes this a great book for someone trying to understand the security landscape of the modern world. Lots of points to dive in where your interests align.

[Fredrik · Rating 3 out of 5]

There are interesting nuggets here, but the book is nothing more than a collection of his writing. For long time readers there'll be repetition and some of the content is somewhat less relevant years after it first came out. Worth a read though.

[Angelo · Rating 2 out of 5]

While I love Bruce Schneier's writing, it it really tough to plod through all of this material in a single book.

If only there were an indexed, searchable, digital way to expose this material. It would form a web of articles, all in a single site; how about calling it a "website?"

[Tim Plona · Rating 2 out of 5]

A series of previously printed articles. Some dated, some a bit repetitive.

[Brandur · Rating 4 out of 5]

A collection of short articles on various types of security practices by security expert Bruce Schneier. Lots of good information, except that most of it doesn't go into great depth.

[Tim · Rating 4 out of 5]

Great overview of what actually makes us secure - and what makes us feel secure but does nothing. I quite liked that there was very little technology in the book

[Tommy /|\ · Rating 4 out of 5]

Not a bad book. A collection of his articles and essays that have been published in various locations - Bruce's material talks about security concepts from a wide variety of angles and perspectives.

[Masonicinfo · Rating 5 out of 5]

Should be national security chief!

[Thejesh GN · Rating 5 out of 5]

Actually they are posts from his blog which I enjoy.

[Robert Mcmahon · Rating 3 out of 5]

Great book with interesting insights on the current state of security and "security theatre". A good read for anyone interested in the topic of security!

[Florencia · Rating 3 out of 5]

Schneier is great, and so are all these pieces. Sadly they're a bit repetitive when all lumped into one gigantic audiobook.