Читать книгу Hacking the Hacker - Grimes Roger A. - Страница 13

Bruce Schneier is one of those people with so much experience and expertise that many introductions refer to him using the words “industry luminary.” Starting out as what many people called the “father of modern day computer cryptography,” Schneier transcended his early cipher‐focus to ask the bigger questions about why computer security is not significantly better after all these decades. He speaks with authority and clarity on a wide range of computer security topics. He is frequently invited as an expert on national television shows and has testified several times in front of the United States Congress. Schneier writes and blogs, and I have always considered his teachings to be my informal master’s degree in computer security. I would not be half the computer security practitioner I am today without his public education. He is my unofficial mentor.

Schneier is famous for saying disarmingly simple things that get to the heart, and sometimes gut, of a previously held belief or dogma. For example, “If you are focused on SSL attacks, then you’re doing better in computer security than the rest of the world.” He meant that there are so many other, more often successfully exploited things to be worried about, that if you were truly worried about a rarely used SSL exploit, you must have solved all the other more likely, more important, things first. In other words, we need to prioritize our computer security efforts instead of reacting to every newly announced (and sometimes never exploited) vulnerability.

Another example of something he has commented on is computer security workers getting upset when employees don’t treat password security seriously. Instead, many employees use weak passwords (when allowed), use the same password across many unrelated web sites (that’s just asking to be hacked), and often give their passwords away to friends, co‐workers, and even strangers. We get frustrated because we know the possible consequences to the business but end‐users don’t understand the risk to the company from using poor password policies. What Schneier taught is that the end‐user is evaluating passwords based on the personal risk to themselves. Employees rarely get fired for using bad password policies. Even if a hacker steals the end‐user’s banking funds, usually they are immediately replaced. Schneier taught us that it’s us, the computer security professionals, who don’t understand the real risk. And until the real risk actually causes the end‐user harm, they won’t voluntarily change their behavior. How’s that for thinking you were the expert on a subject and it turns out the end‐user understood the risk better?

He is the author of over 12 books, including such early books as 1996’s Applied Cryptography: Protocols, Algorithms and Source Code in C (https://www.amazon.com/Applied‐Cryptography‐Protocols‐Algorithms‐Source/dp/1119096723). He wrote a few other books on cryptography (including a couple with Niels Ferguson), but Schneier also began to follow his long‐time interest in the larger reasons why computer security was not being improved. The result was a series of books, each exploring the non‐technical reasons (trust, economics, sociology, and so on) for the continued weakness. They are filled with easy‐to‐understand theory and elucidated by example stories. Here are my favorite general‐interest Schneier books:

● Secrets and Lies: Digital Security in a Networked World (https://www.amazon.com/Secrets‐Lies‐Digital‐Security‐Networked/dp/0471453803)

● Beyond Fear: Thinking Sensibly About Security in an Uncertain World (https://www.amazon.com/Beyond‐Fear‐Thinking‐Sensibly‐Uncertain/dp/0387026207)

● Liars and Outliers: Enabling the Trust that Society Needs to Thrive (https://www.amazon.com/Liars‐Outliers‐Enabling‐Society‐Thrive/dp/1118143302/)

● Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (https://www.amazon.com/Data‐Goliath‐Battles‐Collect‐Control/dp/039335217X/)

If you really want to understand computer security, why it isn’t better, and its impending problems, you should read these books. You should also read Schneier’s blog (https://www.schneier.com/) and subscribe to his monthly Crypto‐Gram newsletter (https://www.schneier.com/crypto‐gram/). There is a markedly improved difference in the quality of people who regularly read Schneier compared to those who don’t. His writing style is accessible and entertaining, and he doesn’t suffer the purveyors of “fake” security lightly. His past “Doghouse” takedowns on crypto‐frauds are lessons in themselves. He writes regularly on the most important issues of the day.