As most of you know, this guy's career is very interesting. Every few years he's stepped up to another level of thinking, a higher, more abstract viewpoint of the world. It's natural for people to learn and abstract, but he does so much of it.
Just look at his books:
* Applied Cryptography - The principles of cryptography and their applications, from a non-theory POV. Basically, "here are some tools".
* Practical Cryptography - Let's look a bit bigger picture. The issue is about how to do what you want and how to not screw it up. Let's look at how to do that.
* Secrets and Lies - Security isn't about crypto, we need to think about the whole of networking and infrastructure. Here's how to think about security more generally.
* Beyond Fear - Security is an innate part of how we think, but we need to understand how to actually think about it in the first place.
* Liars and Outliers - What is security? What does it do, why do we need it, and how does it work at the basic human level?
* Power.com (subject to change) - On the principles of security on the largest human network ever.
Schneier's career has an interesting arc that is not too dissimilar from that of Eric Raymond, involving early modest-but-significant contributions to the field (cryptologic literature for Schneier, open source software for Raymond), then a marked phase of popularization and evangelism, followed by a full-throttle transition into punditry.
I'd definitely push back on the way you characterized _Applied_ and _Practical_ (now called _Cryptography Engineering_). The two books are very different and are the product of different authors; Schneier wrote _Applied_ but co-authored _Practical_.
_Applied_ is a broad survey of cryptographic techniques that was good for its time but has aged terribly and probably done more harm than good for the industry†.
_Practical_ is an engineering book; unlike _Applied_, which is a sightseeing tour of the field, _Practical_ is a book about actually building system with cryptography. Also unlike _Applied_, _Practical_ is diligent about recognizing the limitations of mass-market technical books; it explains things just as often to convince you not to implement things as it does to motivate you to implement them. _Practical_ does not have a lot of "rah-rah" in it. It's not an evangelistic book. The tone of its prose, a mix of casual, clear, and precise, is all Schneier, but the content is wildly different from _Applied_. It's a narrower book, not a "bigger" one.
You might be right about the progression of Schneier's other books. I'm not sold on the idea of a career in information security as a springboard to public policy research on security. Real-world security is not very much like information security at all.
On the specific issue of the book he's promoting right now, I think it's worth pointing out that Schneier has been wrong as often as he's been right about macro- Internet security. Example: Schneier was an early opponent of vulnerability research, for instance; he used his Crypto-Gram newsletter to single out eEye for irresponsibly disclosing Windows vulnerabilities. eEye was a pioneer of what we'd now call "Responsible Disclosure" (an Orwellian term whose basic function is to marginalize Metasploit) and employed people Riley Hassell, Derek Soeder, and Barnaby Jack, all of whom are now vulnerability research authorities.
† (though you can't necessarily say that for the field of cryptography, which he did more to popularize than anyone; perhaps there are lot of great postdoc crypto people today who got into the field because of _Applied_)
The way I recall it (and I wonder if you'll agree - you are certain to know much more about it than I do) Applied was sort of a cryptography Bible in the 90ies. It filled a huge void when it appeared, and deserved the fame it acquired. It aged badly, but any book of its kind would; I don't think it or its author deserve the blame for people cluelessly continuing to rely on it in 2010s.
To me, Applied places Schneider into a very separate category from ESR, whose open-source contributions actually were _very_ modest and not at all significant.
I differ from you in that I think it's fair to judge a book about cryptography for failing to establish the engineering principles required to use its concepts correctly; it would be like an algorithms book that recommended Bubble Sort, except worse because of the consequences of mistakes.
So, for instance, you can leave _Applied Cryptography_ thinking that it's reasonable to use RSA to encrypt sporadic small semantically-meaningful messages, or to deploy a block cipher in ECB mode, or to base a protocol on Diffie Hellman without a trust anchor to break ties for MITM, or to fail to authenticate your ciphertext... and that's just the stuff you notice when you constrain your attention to the mainstream topics in the book, which obviously spends a whole lot of time touring marginal algorithms and protocols without providing clear signals about their unsuitability for deployment.
Another way to look at it is that _Practical_ is a book that is fighting against developers building their own ad-hoc cryptosystems out of things like AES, and _Applied_ is a book that is fighting against developers building their own block ciphers. And if "not replacing AES" is the battle you're fighting, you're already totally screwed, I guess.
When I think about Schneier's contributions to the field, _Applied_ and _Practical_ don't count; they're books, not papers. I'm suggesting instead that you look at his cite record. There's significant stuff there! But it's virtually always as part of teams of otherwise well-established cryptography researchers, and it's clearly not of the same kind as say Joan Daemen or Daniel Bleichenbacher or Don Coppersmith or Philip Rogaway. And I don't mean that in a "Schneier's no Rogaway" sense!
> _Applied_ is a broad survey of cryptographic techniques that was good for its time
> _Practical_ is a book about actually building system with cryptography.
Yep. That's pretty much what I said. Applied is about the tools, Practical is about using the tools properly. It's a higher level in the thinking chain, although my original choice of "bigger" isn't necessarily the best word to use there.
> probably done more harm than good for the industry†
Yes, yes. It gave too many weapons to too poorly educated software developers. We know that.
_Applied_ is a broad survey of cryptographic techniques that was good for its time but has aged terribly and probably done more harm than good for the industry†.
Do you blame Cormen for all the people that don't use library sorting functions but implement their own?
Did you mean something else then with done more harm than good for the industry ? I don't know much about crypto or Schneiers work, I am just curious what you meant if what you said wasn't in reference to people choosing to hand code their crypto routines.
I probably mean what you think I mean. But, among other things, (i) using a broken sort algorithm is nowhere near as bad a problem as getting block cipher modes wrong, and (ii) CLR isn't a mass-popularizing evangelical text about algorithms, and (iii) basic fundamental algorithms and algorithmic analysis isn't a moving target like cryptography is.
I am not making a moral judgement about _Applied_. I don't think the guy should wear a hairshirt. As a book, it's a great book; it sold well for a reason. As an instrument of software engineering, though, it's a bit of a curse.
By popularizing cryptology when it did, Applied Cryptography probably played a big role in keeping academic/open cryptography around.
My memory is hazy, but I think the big vendors would have been happy implementing closed libraries with government-controlled key lengths and algorithms (if not clipper, at least patent-encumbered....), with export restrictions, and potentially escrow.
I can't see IBM, ATT, etc. fighting to keep keys unescrowed (which is the equivalent of fighting to make hostproof apps, technical avoision of CALEA, etc. today, which isn't exactly a mainstream position of large companies...), if consumers didn't demand it. For consumers to demand it, crypto-nerds needed to make an issue of it.
I saw Schneier debate Jonathan Zittrain and Mike McConnell on the topic of cyberwar. He was authoritative, calm, and pragmatic as he described the security and recovery systems of the Internet, and why it's unlikely that terrorists (for example) could take the whole thing down or permanently damage our banks with cyber attacks.
But as he strays more toward topics of motivation, power, and influence in his personal writing, I feel like he is getting more alarmist and shrill. It's not enough to talk about the mechanics of Internet security; now he wants to assign motivations and discuss the secret agendas of the poweful. I just feel like he is on shakier ground with respect to his technical expertise or personal experience. He's a great writer, but I'm not convinced I should privilege his vision of the future over anyone else's.
> The four tools of Internet oppression -- surveillance, censorship, propaganda, and use control -- have both government and corporate uses.
It's funny (for a very broad definition of the word funny) to have seen this happening as an almost direct witness on websites such as reddit, for example. I remember how during the August, 2006 Lebanon War (https://en.wikipedia.org/wiki/2006_Lebanon_War) there was an entire down-vote brigade for anything that was against Israel and consequent upvotes for positive references. One or two years later there was an article that was quickly buried which mentioned how the Israeli government had a special department to handle this exact use-case (Internet propaganda) during "sensitive" times.
Fast forward to November 24th of last year and I find this quote in Financial Times, made during the latest confrontations between Israel and Hamas :
> This is a classic example of asymmetric warfare (...) This is the type of warfare that takes place not on the ground but on TV and computer screens all over the world. One side is trying to show the world how miserable and how much of an underdog they are, while not being afraid and not losing" (the emphasis is mine)
The quote was made by Yiftah Shapir, head of the military balance project at the Institute for National Security Studies based in Tel Aviv.
So it seems like Internet propaganda and "asymmetrical warfare" has indeed become mainstream and a thing that's no longer hidden under the rug as crazy conspiracy.
This is a technocrat description of national socialism based on technology and corporatism. Been there, done that. Eben has already warned about the totalitarianism not of the future, but of the present:
I couldn't tell if he was serious either -- this is an incredibly boring manifesto. He definitely was ahead of the game on a bunch of things, so I hope he takes some more time to think deeply about what he wants to accomplish.
I don't buy the comparison of our internet practices to feudalism. There is no Lord with control over all the land and thus control over the people, who need to work the land to survive.
Google, Facebook, and the like provide a service. A completely optional service. Anyone can choose among them freely. Don't like that X won't let you take your data when you want to move? Choose Y. Don't like any of the above? Set up a mail server on EC2. Don't like Amazon? Pay for your own host somewhere. Can't afford a host? Pool your money with like-minded people.
Unlike the land of Lords, the internet is not all bought up and unavailable to us peasants.
Unlike the land of Lords, the internet is not all bought up and unavailable to us peasants.
Yet.
What happens when all your family and friends are on X (where X is (or is like)) Facebook or Google+, and the only way to keep in touch with them is by giving in and joining?
Explain to them about the risks and business plans of companies like Facebook and Google. Give them your email address, telephone number and website/blog and ask for theirs.
If they are only prepared to keep in touch with you through something like Facebook and Google+, then they're not really interested in keeping in touch. Rather go find people with which you are actually both mutually interested and stop chasing after 'obligations'. Life is too short.
> then they're not really interested in keeping in touch
Yes, or they are simply not interested in stories about the risks and plans of Google and Facebook. Or do not understand when you try to explain it.
A significant part of my family and friends is already on that path: only reachable through sites like facebook or gmail. Taking some "political stance" in not joining (how they see it) will very readily be translated in "you are not joining. you are not really interested in keeping in touch with me."
So no. It will work out precisely the other way around.
I am compelled to point out that gmail is just an interface to email. Perhaps you meant G+?
Either way, I think email is a pretty open method of communication. As hard as they've tried, FB/G+/Twitter have managed to augment rather than supplant email.
They're also pretty new. I suspect in 30 years, nobody will be using them, but email will still be around. (Probably still using SMTP and battling spam, TBH...)
Still a poor analogy. With feudalism, people had no choice. Now people have a choice but due to social pressure make terrible choices. No system can save people from their own short-sightedness, the best case is a system where those who want to choose an alternative can do so, and the Internet provides that.
And there is always the option of creating a puppet account on facebook and keeping any sensitive information anonymous.
Comparing this to indentured servitude is pretty silly. A serf has to eat. If all your friends and family are on Facebook and refuse to interact with you via any other means, that is not the same as being forced.
What? Ignoring the fact that I can't figure out what your second sentence means, obviously he's comparing it to forced labor. That's what we're talking about.
Trying to clarify what I mean, I'll probably give up after this as I'm
on my 3rd day of very little sleep so perhaps I'm just incoherent.
My reading of his linked essay is as a discussion of the power dynamic
between users and companies they rely on. This is compared with a
romanticized version of feudalism. While the users are not compelled
to actually use these services, once they enter into them they are at
the mercy of the companies (feudal lords) to not take advantage of
their much greater position of power (like his version of the early
feudal era serfs).
> There is no Lord with control over all the land and thus control over the people, who need to work the land to survive.
But there is.
The lords change with time (oh, do they ever!), but there are inherent aspects of technology which make it very prone to developing monopolies.
First was AT&T (we're talking 1913 and the initial anti-trust agreement, the Kingsbury Committment). In the 1950s, IBM emerged as a computing powerhouse, a position it retained until 1990. Intel dominated (and still dominates) ICs and CPUs. Microsoft ruled consumer operating system space from the late 1980s through the mid 2000s, and still dominates in business workstations and small servers. Apple, Google, and Facebook have emerged in portable consumer electronics, search and applications, and social networking, respectively. Telecoms is once again a monopoly or oligopoly, with AT&T owning POTS and Comcast most cable contracts.
Attacking any one of these positions is very difficult. Generally, the old giants collapse either from internal mismanagement, the emergence of a new paradigm or technology, or both. Technical superiority, economies of scale, and network effects generally provide extremely strong competitive advantages to market leaders.
However brief their tenure in the power seat, during that tenure, the incumbent or incumbents are exceptionally powerful. Most of the companies I've listed have been among the most highly valued in the world at some point in their existence.
I thought the point of his analogy (originally, not in this piece) was that the Internet was becoming such a dangerous/warlike place that individual businesses or users couldn't feasibly have the infrastructure to defend themselves, and would need to be part of a bigger collective like Google, AWS, etc. to deploy services and operate within their protective umbrella.
i.e. it was about technical security originally, not functionality and privacy/control.
That doesn't preclude "rugged individualists" from living in the mountains in a cabin full of guns, and remaining safe as long as they stay out of the focused attack of one of the Great Powers or some band if brigands, but it does mean all the regular farmers will want a feudal lord to protect them, rather than living in an undefended farmstead somewhere (as one might do if there weren't constant warfare).
The trend there is actually increasingly toward needing "real infrastructure" to host things, vs. the old style run a web server on a workstation on your desk as the first-class solution. If nothing else, it's partially because there are now billions instead of thousands of potential users.
This is a great example of exactly the kind of opinion-setting Bruce is talking about. I think it's pretty clear that services like Google are hardly optional in this day in age, especially when it comes to making a living i.e. eating, which brings us right back to the feudalism allegory.
There's nothing to disagree with in the OP's comment or your comment. Because they are just refusing to accept any of the facts of the article. It's pointless to engage you because you will never try to directly refute evidence, but will instead attempt to distract and dramatize. I've seen this rhetorical style a million times; it's very formulaic.
This kind of head-in-the-sand, denial-comment like the OP is exactly the same rhetorical style that Israel used in the Lebanon war on Reddit. Is the OP an actual agent with opinion setting agenda? Does it matter? Our only option is to be aware of common fallacious argument methods, and do our research.
This entire comment is a non-sequitur. I can't even figure out what part of my comment it replies to. Are you sure you replied to the right comment? That's a mistake I sometimes make.
Perhaps you should reread your comment then read mine to help you grok. I could say the same about your comment. What does the authors comfort have to do with anything? You simply ignored their source refuting that these services are optional and attacked the author.
At least I'm actually talking about the subject and you continue to offer nothing but passive aggressive Ad hominem attacks. I'm not at all surprised and I anticipate another comment from you along the same lines.
Oh, that's easy: I think you should feel a little uncomfortable telling someone else you think they're being misleading, because it's another way of saying they're being deliberately deceptive, which is not something you'd say to their face.
I'm sure it's something I've said too, and if I was called out on it, I'd like to think I'd agree and amend my comment.
It is a little strange to call that point out as "ad hominem", for whatever it's worth.
Just look at his books:
* Applied Cryptography - The principles of cryptography and their applications, from a non-theory POV. Basically, "here are some tools".
* Practical Cryptography - Let's look a bit bigger picture. The issue is about how to do what you want and how to not screw it up. Let's look at how to do that.
* Secrets and Lies - Security isn't about crypto, we need to think about the whole of networking and infrastructure. Here's how to think about security more generally.
* Beyond Fear - Security is an innate part of how we think, but we need to understand how to actually think about it in the first place.
* Liars and Outliers - What is security? What does it do, why do we need it, and how does it work at the basic human level?
* Power.com (subject to change) - On the principles of security on the largest human network ever.
It just keeps getting bigger.