March 27, 2012, 7:11 PM — There are a lot of consultants, experts, pundits, commentators, researchers, analysts, technologists and yahoos providing information, analysis and recommendations about digital security. It's a growth industry that offers plenty of opportunities for exposure and profit for those who can sound as if they know what they're talking about.
If you're looking for reliable information or advice, you have to look carefully at what each of these potential guides is saying or writing, not just what they seem to be saying or writing. More even than in most areas of IT, answers that seem to be useful or accurate tend to warp into something different when they're pressed closer to the facts. Or the hackers.
Not so the advice of Bruce Schneier, consultant, author and subject of a Chuck-Norris-parody meme ("When Bruce Schneier was a kid he would talk to his friends across the yard using tin cans connected by a string. The messages on that string were 4096-bit RSA encrypted." "The universe exists because Bruce needed a reference platform." "Bruce Schneier expects the Spanish Inquisition.")
Schneier regularly commits the business-consultant-heresy of talking about topics that can be incredibly arcane in language understandable even to those who don't spend Saturday nights on IRC arguing which Ubuntu distro rocks hardest.
He often commits the security-consultant heresy of downplaying security threats simply because he considers them far less a threat than cyberattack hysterics would suggest (the danger from identity theft is "vastly overrated).
He also sometimes points out the kind of political and social issues most security honchos in government or military organizations prefer not to talk much about. Like "the long-range security threat of unchecked presidential power," why universal surveillance and data mining won't protect us from terrorists and "why computer security is fundamentally an economic problem."
Just to point out the obvious: there are points in there guaranteed to piss off every major source of revenue for security consultants, from elected officials to the military to computer vendors to users.
He's still in business and still counts members of all those constituencies as active parts of his audience.
Not impressed that Schneier not only knows what he's talking about and can boil a big complex topic down to the things important enough to worry about and explain them in ways his audience can actually use? You try to write a book called "Applied Cryptography" and make it a bestseller.