Security and illusions
I was trying to introduce Bruce Schneier and his books to my fiancee the other day, and specifically how his point of view evolved from book to book.
In "Applied Cryptography", the best introduction and technical reference on the subject (concepts, algorithms and protocols), cryptography appears as the stronghold of security.
The following "Secrets and Lies" makes a big turn by realizing how cryptography isn't the ultimate and binary solution to security, which can be sprinkled here and there. Instead security is viewed as a process, where knowledge of the system as a whole and the derived threats (via threat modeling) is key to successful and managed security.
His latest book, "Beyond Fear", this same approach of lucid examination is applied to real-world security, as opposed to electronic security. It invites the reader to train his critical thinking by analyzing examples of mitigations that actually create worse side-effects and are decided on politics and public perception rather than a rigorous security analysis.
Schneier's latest articles, from his blog and his Crypto-Gram newsletter, provide examples of assessing the effectiveness of some measures like terrorism security alerts and levels in the US and the importance of training (vs. emotions) on security-related decisions (see Bomb scare on airplane, caused by "BOB" inscription).
I agree that security is a process. After all, attackers go for the weakest link, not the stongest ones.
You might employ killer encryption algorithms in one place, but leave some other critical path unguarded.Posted by: Milan Negovan (October 22, 2004 08:25 AM) ______________________________________
This "Beyond Fear" book sounds interesting, especially in light of all the airline security issues, etc.