So, two months ago, I mentioned that I was going to read something fairly new. Two months ago, I was already late in reading and reviewing the book. Work, holidays, blaah blaah mea culpa.

Anyway, the book is Bruce Schneier's Liars and Outliers. In the interest of full disclosure I should probably mention received a signed review copy, bizarrely enough. No, the glamorous litterati did not suddenly recognize my wit and genius. Instead, Schneier came up with an interesting idea to send a substantial number of copies to readers of his blog on the condition that they write reviews. I was one of those readers. This is my review. It's an interesting experiment. I have no idea how successful it has been or what the criteria for success really is in this case, but I'm really hoping that Schneier writes a blog post or something about it.

Now, as per the custom, I'll comment about the edition itself. It's in English and just came out. It's the only edition. That kind of kills my a lot of my usual critiquing. Physically it's pretty solid binding and good printing. My only gripe is that all of the footnotes have been pushed to the end. I know this is pretty much the standard these days, even from very traditional academic presses. I can't realistically fault this book for that. But I will continue to rail against this silly practice as long as I have the energy.

As for actual content, well, it's pretty damn impressive. I can't say whether or not it's a "great book" with certainty. But I can say that I'm certain that it meets several important criteria already. First, does it really say anything new? It absolutely does. Security is an ancient field. But for all its age and perennial importance, it's a pretty fragmented field. In my job, I deal with simple technical measure. I deploy the patches and try to avoid weak implementations of stuff. Of course, I knew things like game theory and psychology and anthropology all said some stuff that was relevant to the general theory of it all but the content suitable for my purposes versus the effort was unappealing. Schneier not only pulls all of those disparate fields together but does so critically and forms a cohesive framework for thinking about the various levels of tools available to maintain security and trust as well as the reasons those tools fail. In particular, his treatment of game theory is exceptional. Some of you may know "that guy" who took that one class on game theory once upon a time and continually tries to shoehorn every situation into some game theory situation, only to decide that it's a different scenario three or four times before he figures out that no-one cares about his rigid taxonomy. Schneier definitely ain't that guy. One of the major things Schneier achieves in the book is to outline how limited game theory is. It's a useful tool and he uses it well, but it's clear that it's a system that needs to be learned and then grown out of. And that's really just the tip of the iceberg. The sheer breadth of the material that had to go into this book is fucking staggering.

Second, does what is say actually have any relevance to our lives? That's even more certain. Schneier's framework scales from you and your friends to nation states. It isn't a perfectly smooth transition, much needs explaining and there are some caveats, but I think he demonstrates that there's enough overlap that you can think about all of these levels in the same terms. I initially balked at some of his applications of the framework when it scaled to the level of corporations but by the end of that chapter Schneier had made his case and I no longer have any real objections. The relevance of the book is further enhanced by Schneier's specific examples about the American response to 9/11 and the resultant rise of the TSA. Basically, we have failed to understand that you cannot prevent all attacks all the time. You need to define an acceptable level of risk and scale to that. Absolute security is impossible and striving for it is has and will continue to come at a bewildering cost, both in terms of our civil liberties and just straight up cold hard cash.

Third, I believe this work will be pretty timeless. While many of his examples are contemporary, there are enough historical ones to demonstrate that these ideas would have been useful in the past, and by proxy, are likely to continue to be useful in the future. Further, only time will really tell, but I suspect this will be a milestone text in the evolution of security theory.

So, in summary, if you work in anything even remotely connected to security, this book is a must read. And if you're just an average citizen, you should seriously think about finding room for it on your reading list.

Update: Bruce Schneier has posted the follow-up blog post that I had hoped for. You can find it here.