Tuesday, September 15, 2009

Thoughts on the Cult of Schneier

Earlier in the year John Viega wrote a short opinion article called The Cult of Schneier, referring to the near-religious following that Bruce Schneier has acquired over his long and successful career in IT Security, and the biblical authority that the Applied Cryptography book has attained. Viega's main issue with the book as it currently stands is that "It's fine and fun to read it, just don't build from it".

I think that Applied Cryptography was a very well-crafted book. It contains an excellent mix of mathematics, exposition, security intrigue and executable code. However for me, and a few other cryptographers I know, the Handbook of Applied Cryptography is a best source of general cryptography information. The book does not enjoy anywhere near the same general recognition as Applied Cryptography, seemingly because it is viewed as a "math book" - correct, factual, thorough and therefore unappealing to a wide audience, as most technical books are. In short it lacks the narrative woven into Applied Cryptography. On the other hand, no one would really confuse the Handbook with a solution manual for designing and implementing secure systems.

Earlier in the year I made a post on Some Black Swans in IT Security, and I listed Bruce as an unexpected phenomenon in the following way

Bruce Schneier is the best known security authority in the world. His blog has hundreds of thousands of readers, his posts can yield hundreds of comments, and his books are bestsellers. His opinions hold sway over both technical people and executives, as well as all the layers in between. He is the Oprah of security - a public figure and a leading opinion maker. The Black Swan aspect of Mr. Schneier is that he has achieved this status through excellent communication (and yes cunning publicity as well) rather than technical prowess. Of course he has technical prowess but that is rather common in security and cryptography. What is uncommon, or even uncanny, is the ability to explain security in terms that can be understood by non-specialists whether it be programmers, professionals, managers or executives. Bruce has literally written himself into the modern history books of security. He has shown, once again, that communication is king - the security explanation is mightier than the security deed.

I don’t really think that there is a cult in operation over Bruce Schneier, but rather a hero was found when security as an industry needed to believe in heroes.


Unknown said...

You consider technical prowess of an AES Finalist "common"? [ http://en.wikipedia.org/wiki/Twofish ] Counting co-authors the 5 finalists are less than two dozen, mostly academics or pure researchers; Twofish rated 3rd. His crypanalytic team ensured whichever won it would be the best - they even cryptanalyzed their own [ http://csrc.nist.gov/archive/aes/ ], one of the hardest of intelectual acts.

Bruce's writing is valued not only for its clarity but its credibility and conscience.

Common? no.

Unknown said...

Hi Bill, first I was one of those two dozen academics or pure researchers you are referring to above, as part of the IBM team, and I agree that Twofish was a very well-documented submission.

When I say "common" I mean amongst the people who have chosen cryptography as their field - who have obtained a PhD, and created a track record of results and publications.

Most of these people won't be writing books like Beyond Fear, or even Applied Cryptography. And they would probably not do a good job if they did. Such people are concerned with results for specialists and not exposition to related professionals.

But I take your point that Bruce's writing is underwritten by a good research record.

regards Luke