

Schneier reviews: Here Comes Everybody - bdfh42
http://www.schneier.com/blog/archives/2008/11/here_comes_ever.html

======
tptacek
You'd take him a little more seriously if he reviewed serious books, instead
of having his first widely-acknowledged book review be for fellow gadfly and
net-personality Clay Shirkey.

When Michael Lewis, author of Liar's Poker and Moneyball and increasingly
famous narrative journalist, reviews the literature on the economic crisis, he
digs up, reproduces, and editorializes curated news articles from the 1989
crash; prior to that, he published a 9,382,382,293 page compendium of the
fundamental work in economics.

But we pay attention to blog post reviews of blog post books, because... we're
fans, I guess? Sorry. I feel compelled to keep questioning why we take this
guy so seriously.

~~~
alecco
Yes. Schneier is the Seth Godin of IT security, it's self-marketroid
personality cult. I have to admit I usually agree with his positions but more
often than not I don't like his reasoning. Also he tends to talk about things
out of his sphere of knowledge.

~~~
gjm11
That's not entirely fair; he got famous by writing a big crypto book that
everyone read (and I think still reads, though it's kinda dated now) and the
blog-based personality cult came later.

Of course, having a broad understanding of cryptographic algorithms doesn't
guarantee being a good pundit on security issues.

(Schneier has written some perfectly decent books in his security-pundit role,
too, but they aren't definitive in the way that "Practical Cryptography"
arguably was.)

~~~
tptacek
He got famous by writing "Applied Cryptography", a technical book about
cryptography that is well regarded among laypeople and poorly regarded among
practitioners. "Practical Cryptography", the book you cited (which he co-
authored with Niel Ferguson, a well-regarded cryptographer), contains
Schneier's own disavowal of "Applied".

"Applied" is "definitive" among laypeople and generalist programmers.
"Practical" is an excellent book, but I dispute that it is in any way
"definitive". More people have the evil red book on their desk than the good
black book.

~~~
gjm11
Oops, sorry, mixed up the titles. I meant to write PC where I wrote AC. If PC
disavows AC, then I've failed to find the disavowal by looking up the pointers
to AC in the index of PC. There's something nearer to a disavowal in "Secrets
and Lies", but it still doesn't go further than (I paraphrase) "I focused on
the algorithms, but actually other stuff matters more". (Both books mention
that plenty of very bad systems have been built by people who read AC and
thought they were therefore experts, but I don't think it's fair to blame that
on AC.)

There's a reason why I put "arguably" in front of "definitive" :-). But the
point is that what got Schneier famous was writing a big fat book, with lots
of technical content, that a lot of people read and were impressed by. That
may be less solid than writing a big book that _deserves_ to impress everyone,
but it's not at all the same thing as pure blogging bloviation.

(AC doesn't seem so very bad to me, aside from being out of date and being too
much of an unassimilated algorithm-dump, but then I'm a generalist rather than
a security professional.)

~~~
tptacek
You're right; I've overstated (I'm not making up that he's essentially
disavowed it, but I can't find the cite I'm looking for, so assume it's just
hyperbole).

Here's the passage I was thinking of in "Practical":

 _Among cryptographers, Bruce's first book, Applied Cryptigraphy, is both
famous and notorious. It is famous for bringing cryptography to the attention
of thousands of people. It is infamous for the systems that these people then
designed and implemented on their own._

The problems with AC include:

* No attention given to any of the practical vulnerabilities in cryptosystems, so that you could deploy code directly from the book and still have it be vulnerable to ECB cut-and-paste or parameter tampering.

* A candy shop of random ciphers without any context as to why one would be chosen over the other, with varying degrees of detail provided for each.

* Descriptions of protocols that are largely obsolete or discredited, without warnings or disclaimers or, really, any actual didactic purpose.

"Applied" seemed great to me too, but then I became a practioner (though by no
means an expert). Even "Practical" lacks detail on a lot of major crypto
issues --- side-channel attacks, parameter tampering, the safe use of public
key primitives and signature validation --- that actually occur in real
systems.

~~~
kaens
I've read AC, and found it good for getting a handle on what's going on in
cryptosystems. It _definitely_ didn't leave me feeling like I was anywhere
near prepared to implement one. (And the book's a bit dated).

Since you seem to have a lot of experience in this area, what would you
recommend as really good reading?

~~~
tptacek
You want to ask Colin Percival (hn://cperciva) this question, since Colin's a
professional cryptographer and I'm a software security person. That said, I
like "Practical Cryptography" ( _not_ Applied Cryptography) and I don't know
of a good book that covers side channel attacks or parameter tampering; you
just have to be very interested in the topic, follow the news, and start
attacking systems.

I would say one of the best things about "Practical" is that it will leave you
feeling _even less_ prepared to implement a cryptosystem on your own, even
though you'll know much more about how to do it.

~~~
kaens
Thanks. I'll give PC a read, and perhaps drop cperciva a line. I'm pretty
fascinated by cryptography, and I like to be decently well-informed, but I
don't see myself focusing on it anytime soon.

------
Alex3917
When I was reading this I was thinking, wow, this is a really good book
review. Which, if you think about it, is kind of sad-- the fact that reviewers
who are able to pick out the thesis of the book and its main arguments are the
exception, rather than the rule.

~~~
evgen
This speaks more to the quality of the author than the reviewers. If the
author can't effectively communicate his point to people not steeped in the
culture and conventions being examined then this book is not as good as you
think it is.

