

What I've Been Thinking About - siromoney
http://www.schneier.com/blog/archives/2013/04/what_ive_been_t.html

======
B-Con
As most of you know, this guy's career is very interesting. Every few years
he's stepped up to another level of thinking, a higher, more abstract
viewpoint of the world. It's natural for people to learn and abstract, but he
does so much of it.

Just look at his books:

* Applied Cryptography - The principles of cryptography and their applications, from a non-theory POV. Basically, "here are some tools".

* Practical Cryptography - Let's look a bit bigger picture. The issue is about how to do what you want and how to not screw it up. Let's look at how to do that.

* Secrets and Lies - Security isn't about crypto, we need to think about the whole of networking and infrastructure. Here's how to think about security more generally.

* Beyond Fear - Security is an innate part of how we think, but we need to understand how to actually think about it in the first place.

* Liars and Outliers - What _is_ security? What does it do, why do we need it, and how does it work at the basic human level?

* Power.com (subject to change) - On the principles of security on the largest human network ever.

It just keeps getting bigger.

~~~
tptacek
Schneier's career has an interesting arc that is not too dissimilar from that
of Eric Raymond, involving early modest-but-significant contributions to the
field (cryptologic literature for Schneier, open source software for Raymond),
then a marked phase of popularization and evangelism, followed by a full-
throttle transition into punditry.

I'd definitely push back on the way you characterized _Applied_ and
_Practical_ (now called _Cryptography Engineering_). The two books are very
different and are the product of different authors; Schneier wrote _Applied_
but co-authored _Practical_.

_Applied_ is a broad survey of cryptographic techniques that was good for its
time but has aged terribly and probably done more harm than good for the
industry†.

_Practical_ is an engineering book; unlike _Applied_, which is a sightseeing
tour of the field, _Practical_ is a book about actually building system with
cryptography. Also unlike _Applied_, _Practical_ is diligent about recognizing
the limitations of mass-market technical books; it explains things just as
often to convince you _not_ to implement things as it does to motivate you to
implement them. _Practical_ does not have a lot of "rah-rah" in it. It's not
an evangelistic book. The tone of its prose, a mix of casual, clear, and
precise, is all Schneier, but the content is wildly different from _Applied_.
It's a narrower book, not a "bigger" one.

You might be right about the progression of Schneier's other books. I'm not
sold on the idea of a career in information security as a springboard to
public policy research on security. Real-world security is not very much like
information security at all.

On the specific issue of the book he's promoting right now, I think it's worth
pointing out that Schneier has been wrong as often as he's been right about
macro- Internet security. Example: Schneier was an early opponent of
vulnerability research, for instance; he used his Crypto-Gram newsletter to
single out eEye for irresponsibly disclosing Windows vulnerabilities. eEye was
a pioneer of what we'd now call "Responsible Disclosure" (an Orwellian term
whose basic function is to marginalize Metasploit) and employed people Riley
Hassell, Derek Soeder, and Barnaby Jack, all of whom are now vulnerability
research authorities.

† _(though you can't necessarily say that for the field of cryptography, which
he did more to popularize than anyone; perhaps there are lot of great postdoc
crypto people today who got into the field because of _Applied_)_

~~~
B-Con
> _Applied_ is a broad survey of cryptographic techniques that was good for
> its time

> _Practical_ is a book about actually building system with cryptography.

Yep. That's pretty much what I said. Applied is about the tools, Practical is
about using the tools properly. It's a higher level in the thinking chain,
although my original choice of "bigger" isn't necessarily the best word to use
there.

> probably done more harm than good for the industry†

Yes, yes. It gave too many weapons to too poorly educated software developers.
We know that.

~~~
tptacek
I think the opposite is true: _Applied_ considers cryptography at a higher
level, covers more concepts, has the broader charter.

------
paganel
> The four tools of Internet oppression -- surveillance, censorship,
> propaganda, and use control -- have both government and corporate uses.

It's funny (for a very broad definition of the word funny) to have seen this
happening as an almost direct witness on websites such as reddit, for example.
I remember how during the August, 2006 Lebanon War
(<https://en.wikipedia.org/wiki/2006_Lebanon_War>) there was an entire down-
vote brigade for anything that was against Israel and consequent upvotes for
positive references. One or two years later there was an article that was
quickly buried which mentioned how the Israeli government had a special
department to handle this exact use-case (Internet propaganda) during
"sensitive" times.

Fast forward to November 24th of last year and I find this quote in Financial
Times, made during the latest confrontations between Israel and Hamas :

> This is a classic example of asymmetric warfare (...) This is the type of
> warfare that takes place not on the ground but on TV and _computer screens_
> all over the world. One side is trying to show the world how miserable and
> how much of an underdog they are, while not being afraid and not losing"
> (the emphasis is mine)

The quote was made by Yiftah Shapir, head of the military balance project at
the Institute for National Security Studies based in Tel Aviv.

So it seems like Internet propaganda and "asymmetrical warfare" has indeed
become mainstream and a thing that's no longer hidden under the rug as crazy
conspiracy.

------
bernardom
This is a very well written synopsis and I am interested in reading the book
when it comes out. Hopefully we can help him find a better title, though.

"Power and the Internet" is a much better title than "Power.com," IMO.

~~~
shasta
Not as good of a title as "What I've Been Thinking About", apparently.

------
Create
This is a technocrat description of national socialism based on technology and
corporatism. Been there, done that. Eben has already warned about the
totalitarianism not of the future, but of the present:

[http://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-
of-t...](http://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-thought-
requires-free-media)

~~~
stevvooe
How does Schneier's abstract not complement Professor Eben Moglen's argument?

~~~
Create
I would be surprised if it would turn out, that Schneier wasn't active in
building this stuff at DoD and AT&T etc.

------
meatsock
i looked very closely for the april fools joke here.

~~~
greenmountin
I couldn't tell if he was serious either -- this is an incredibly boring
manifesto. He definitely was ahead of the game on a bunch of things, so I hope
he takes some more time to think deeply about what he wants to accomplish.

------
abraininavat
I don't buy the comparison of our internet practices to feudalism. There is no
Lord with control over all the land and thus control over the people, who need
to work the land to survive.

Google, Facebook, and the like provide a service. A completely optional
service. Anyone can choose among them freely. Don't like that X won't let you
take your data when you want to move? Choose Y. Don't like any of the above?
Set up a mail server on EC2. Don't like Amazon? Pay for your own host
somewhere. Can't afford a host? Pool your money with like-minded people.

Unlike the land of Lords, the internet is not all bought up and unavailable to
us peasants.

~~~
npsimons
_Unlike the land of Lords, the internet is not all bought up and unavailable
to us peasants._

Yet.

What happens when all your family and friends are on X (where X is (or is
like)) Facebook or Google+, and the only way to keep in touch with them is by
giving in and joining?

~~~
RyanZAG
Explain to them about the risks and business plans of companies like Facebook
and Google. Give them your email address, telephone number and website/blog
and ask for theirs.

If they are only prepared to keep in touch with you through something like
Facebook and Google+, then they're not really interested in keeping in touch.
Rather go find people with which you are actually both mutually interested and
stop chasing after 'obligations'. Life is too short.

~~~
rivd
> then they're not really interested in keeping in touch

Yes, or they are simply not interested in stories about the risks and plans of
Google and Facebook. Or do not understand when you try to explain it.

A significant part of my family and friends is already on that path: only
reachable through sites like facebook or gmail. Taking some "political stance"
in not joining (how they see it) will very readily be translated in "you are
not joining. you are not really interested in keeping in touch with me."

So no. It will work out precisely the other way around.

~~~
monkeyspaw
I am compelled to point out that gmail is just an interface to email. Perhaps
you meant G+?

Either way, I think email is a pretty open method of communication. As hard as
they've tried, FB/G+/Twitter have managed to augment rather than supplant
email.

They're also pretty new. I suspect in 30 years, nobody will be using them, but
email will still be around. (Probably still using SMTP and battling spam,
TBH...)

