Schneier's career has an interesting arc that is not too dissimilar from that of Eric Raymond, involving early modest-but-significant contributions to the field (cryptologic literature for Schneier, open source software for Raymond), then a marked phase of popularization and evangelism, followed by a full-throttle transition into punditry.
I'd definitely push back on the way you characterized _Applied_ and _Practical_ (now called _Cryptography Engineering_). The two books are very different and are the product of different authors; Schneier wrote _Applied_ but co-authored _Practical_.
_Applied_ is a broad survey of cryptographic techniques that was good for its time but has aged terribly and probably done more harm than good for the industry†.
_Practical_ is an engineering book; unlike _Applied_, which is a sightseeing tour of the field, _Practical_ is a book about actually building system with cryptography. Also unlike _Applied_, _Practical_ is diligent about recognizing the limitations of mass-market technical books; it explains things just as often to convince you not to implement things as it does to motivate you to implement them. _Practical_ does not have a lot of "rah-rah" in it. It's not an evangelistic book. The tone of its prose, a mix of casual, clear, and precise, is all Schneier, but the content is wildly different from _Applied_. It's a narrower book, not a "bigger" one.
You might be right about the progression of Schneier's other books. I'm not sold on the idea of a career in information security as a springboard to public policy research on security. Real-world security is not very much like information security at all.
On the specific issue of the book he's promoting right now, I think it's worth pointing out that Schneier has been wrong as often as he's been right about macro- Internet security. Example: Schneier was an early opponent of vulnerability research, for instance; he used his Crypto-Gram newsletter to single out eEye for irresponsibly disclosing Windows vulnerabilities. eEye was a pioneer of what we'd now call "Responsible Disclosure" (an Orwellian term whose basic function is to marginalize Metasploit) and employed people Riley Hassell, Derek Soeder, and Barnaby Jack, all of whom are now vulnerability research authorities.
† (though you can't necessarily say that for the field of cryptography, which he did more to popularize than anyone; perhaps there are lot of great postdoc crypto people today who got into the field because of _Applied_)
The way I recall it (and I wonder if you'll agree - you are certain to know much more about it than I do) Applied was sort of a cryptography Bible in the 90ies. It filled a huge void when it appeared, and deserved the fame it acquired. It aged badly, but any book of its kind would; I don't think it or its author deserve the blame for people cluelessly continuing to rely on it in 2010s.
To me, Applied places Schneider into a very separate category from ESR, whose open-source contributions actually were _very_ modest and not at all significant.
I differ from you in that I think it's fair to judge a book about cryptography for failing to establish the engineering principles required to use its concepts correctly; it would be like an algorithms book that recommended Bubble Sort, except worse because of the consequences of mistakes.
So, for instance, you can leave _Applied Cryptography_ thinking that it's reasonable to use RSA to encrypt sporadic small semantically-meaningful messages, or to deploy a block cipher in ECB mode, or to base a protocol on Diffie Hellman without a trust anchor to break ties for MITM, or to fail to authenticate your ciphertext... and that's just the stuff you notice when you constrain your attention to the mainstream topics in the book, which obviously spends a whole lot of time touring marginal algorithms and protocols without providing clear signals about their unsuitability for deployment.
Another way to look at it is that _Practical_ is a book that is fighting against developers building their own ad-hoc cryptosystems out of things like AES, and _Applied_ is a book that is fighting against developers building their own block ciphers. And if "not replacing AES" is the battle you're fighting, you're already totally screwed, I guess.
When I think about Schneier's contributions to the field, _Applied_ and _Practical_ don't count; they're books, not papers. I'm suggesting instead that you look at his cite record. There's significant stuff there! But it's virtually always as part of teams of otherwise well-established cryptography researchers, and it's clearly not of the same kind as say Joan Daemen or Daniel Bleichenbacher or Don Coppersmith or Philip Rogaway. And I don't mean that in a "Schneier's no Rogaway" sense!
> _Applied_ is a broad survey of cryptographic techniques that was good for its time
> _Practical_ is a book about actually building system with cryptography.
Yep. That's pretty much what I said. Applied is about the tools, Practical is about using the tools properly. It's a higher level in the thinking chain, although my original choice of "bigger" isn't necessarily the best word to use there.
> probably done more harm than good for the industry†
Yes, yes. It gave too many weapons to too poorly educated software developers. We know that.
_Applied_ is a broad survey of cryptographic techniques that was good for its time but has aged terribly and probably done more harm than good for the industry†.
Do you blame Cormen for all the people that don't use library sorting functions but implement their own?
Did you mean something else then with done more harm than good for the industry ? I don't know much about crypto or Schneiers work, I am just curious what you meant if what you said wasn't in reference to people choosing to hand code their crypto routines.
I probably mean what you think I mean. But, among other things, (i) using a broken sort algorithm is nowhere near as bad a problem as getting block cipher modes wrong, and (ii) CLR isn't a mass-popularizing evangelical text about algorithms, and (iii) basic fundamental algorithms and algorithmic analysis isn't a moving target like cryptography is.
I am not making a moral judgement about _Applied_. I don't think the guy should wear a hairshirt. As a book, it's a great book; it sold well for a reason. As an instrument of software engineering, though, it's a bit of a curse.
By popularizing cryptology when it did, Applied Cryptography probably played a big role in keeping academic/open cryptography around.
My memory is hazy, but I think the big vendors would have been happy implementing closed libraries with government-controlled key lengths and algorithms (if not clipper, at least patent-encumbered....), with export restrictions, and potentially escrow.
I can't see IBM, ATT, etc. fighting to keep keys unescrowed (which is the equivalent of fighting to make hostproof apps, technical avoision of CALEA, etc. today, which isn't exactly a mainstream position of large companies...), if consumers didn't demand it. For consumers to demand it, crypto-nerds needed to make an issue of it.
I'd definitely push back on the way you characterized _Applied_ and _Practical_ (now called _Cryptography Engineering_). The two books are very different and are the product of different authors; Schneier wrote _Applied_ but co-authored _Practical_.
_Applied_ is a broad survey of cryptographic techniques that was good for its time but has aged terribly and probably done more harm than good for the industry†.
_Practical_ is an engineering book; unlike _Applied_, which is a sightseeing tour of the field, _Practical_ is a book about actually building system with cryptography. Also unlike _Applied_, _Practical_ is diligent about recognizing the limitations of mass-market technical books; it explains things just as often to convince you not to implement things as it does to motivate you to implement them. _Practical_ does not have a lot of "rah-rah" in it. It's not an evangelistic book. The tone of its prose, a mix of casual, clear, and precise, is all Schneier, but the content is wildly different from _Applied_. It's a narrower book, not a "bigger" one.
You might be right about the progression of Schneier's other books. I'm not sold on the idea of a career in information security as a springboard to public policy research on security. Real-world security is not very much like information security at all.
On the specific issue of the book he's promoting right now, I think it's worth pointing out that Schneier has been wrong as often as he's been right about macro- Internet security. Example: Schneier was an early opponent of vulnerability research, for instance; he used his Crypto-Gram newsletter to single out eEye for irresponsibly disclosing Windows vulnerabilities. eEye was a pioneer of what we'd now call "Responsible Disclosure" (an Orwellian term whose basic function is to marginalize Metasploit) and employed people Riley Hassell, Derek Soeder, and Barnaby Jack, all of whom are now vulnerability research authorities.
† (though you can't necessarily say that for the field of cryptography, which he did more to popularize than anyone; perhaps there are lot of great postdoc crypto people today who got into the field because of _Applied_)