Bruce "Secrets and Lies" Schneier has announced that he's working on a new, untitled book, about using information security techniques to evaluate the post-911 security measures we've been asked to buckle down and shut up about.
I reviewed a draft of this last month, and it is a damned fine book. It starts with the premise that bad security is worse than no security — a false sense of security puts you at more risk than eyes-open vulnerabilities. Then it discusses the idea that security is always contextual: you can't make something generally "more secure;" you can only make it more secure from some attack.
This is the setup for Bruce to tell us how to figure out if something is a risk, if some measure mitigates that risk, and points us at the ways our world has changed since 9-11, in order to make it more "secure."
This book presents a vital suite of critical thinking tools. It's a shame we won't see it on shelves until next September — publishing being what it is — but when it hits the stands, it will be required reading.
We are being told that we are in graver danger than ever, and that we must change our lives in drastic and inconvenient ways in order to be secure. We are being told that we must give up privacy or anonymity, or accept restrictions on our actions. We are being told that the police need new investigative powers, that domestic spying capabilities need to be instituted, and that our militaries must be brought to bear on countries that support terrorism. What we're being told is mostly untrue. Most of the changes we're being asked to endure don't result in good security. They don't make us safer. Some of the changes actually make things worse.
My new book, still untitled, is a book about security. Not computer security, but security in general. Its goal is to teach readers how to think differently, how to tell good security from bad security, and to be able to explain why. Its goal is to instill in readers a healthy skepticism about security, especially the technologies surrounding security. Its goal is to convince readers that good security is about people.
The book walks the reader, step by step, through security: what works, what doesn't, and why. It gives general principles that the reader can use to understand and evaluate security. It illustrates those principles with anecdotes from all over: crime, war, history, sports, natural science, myth, literature, and movies. And it gives the reader a simple process that he can use to understand the difference between good security and bad security.
Real-world security looks a whole lot like computer security. It's not just that computers are everywhere; the same concepts and methodologies that allow us to make sense of computer security also apply to the real world. In my previous book, "Secrets and Lies," I used real-world metaphors to explain computer and network security. In this book I am going to explain real-world security using the techniques, processes, and formalism from the computer world, without assuming any computer knowledge.
