Sunday, October 28, 2007

A good read

My current reading is a book by Bruce Schneier, who started off in computer and network security, but is now regarded as one of the best authorities on security in general. His latest book, for a popular audience, is Beyond Fear: Thinking Sensible About Security in an Uncertain World. The subtitle pretty much sums it up. This book was published in 2006, so it has five years' hindsight about the 9/11 attacks and the change in perceptions about security since then. He has quite a few things to say on the matter, both on the attacks themselves, the state of anti-terrorism security before then, and some of changes to airline security that have occurred since then. He largely eschews the political questions involved - security measures aren't Right or Left, but rather Good or Worthless. Mostly, he uses aspects of 9/11 and airline security measures as illustrations to instill the reader with a broader understanding of what security really is: how it works, what it can and can't do, what constitutes good security, and so on. In his approach, security isn't only walls, locks, and guys with guns protecting us against hijackings, bank robbery, and computer hacks. Above all, in every situation that requires security, he provides a framework for systematic analysis that forces a close examination of the real risks, the possible mitigations, and the trade-offs. He reiterates that all security systems can break, perfect security is a fantasy, and all security has costs, not all of which are monetary.

With all the fear mongering about terr'rists, and the various security measures (good and bad, effective and brittle) that have been pushed through using that fear as justification, it is, to me, a wonderful breath of fresh air to see someone dispassionately and intelligently examine what security is all about and how to evaluate it. I recommend it highly.

Book review (and esuing discussion) at Slashdot.

No comments: