Review: Liars and Outliers by Bruce Schneier

tl;dr An enormously important book about understanding and optimizing security in the 21st century.

On the Internet, nobody knows you’re a dog. I don’t know Bruce Schneier, and he certainly doesn’t know me. Even so, when he announced a heavily discounted signed edition of Liars and Outliers he was effectively testing the main hypothesis of the book: That in any society it is reasonable to uphold a non-zero level of trust even in complete strangers:

  • Schneier trusted 100 (or at least many enough to make a net gain) random strangers to reciprocate the offer by writing and publishing a review of the book.
  • 100 random people trusted him to sign copies of the book and send it to the correct addresses upon receipt of the money.
  • All 101 of us trusted essentially the rest of the human race not to interfere in the transaction, even when interference could mean easy money with virtually no chance of retribution.

Schneier goes on to explain, with his famous lucidity and reference to much contemporary research, why this trust is essential to all human interchange, how trustworthiness is highly dependent on the situation and not just the person, how a society with 100% conformity is not just a terrible goal but literally impossible, the human and artificial pressures to cooperate or not, how more severe punishments are often ineffective or even counter-effective, and how social and technological evolution is too fast for democracy to stabilize the overall level of trust.

[At this point I wanted to double-check the scribbled-down criticisms below, but the book is 3,000 km away with a nephew. Please take the following with a grain of salt. And now that I’ve lowered your expectations, let’s continue!]

In some very few places I found the wording misleading. For example, the iTunes store doesn’t allow you to buy music, merely to license it for your personal use. As far as I understand from what very little I’ve read of this, when iTunes shuts down, there are many jurisdictions where you would not be allowed to download songs which are audibly indistinguishable from what you had paid for.

The graphs are generally informative, but sometimes confusing. For example (pages 72-73):

  • Traits/Tendencies and natural defenses are both in the social pressures box, while the text says neither is a social pressure.
  • There’s an incentives line and a separate box.
  • Why are some of the lines double? If they’re strong, a thick line would be clearer.

One note is terrifying: On average, 7% of terrorists’ policy objectives are achieved? What method could conceivably be considered more effective than 7% for a (usually) tiny group of what is often foreigners? Compare it to normal bureaucratic channels, where usually only billionaire citizens or corporations have the slightest chance to change policy within a reasonable time.

Conclusion: I wish this had been compulsory reading at high school. With entertaining anecdotes, scary implications of human nature, and scientifically grounded careful optimism it’s the most dangerous book everyone should read.

Social contract – Fulfilled!

Stuxnet motives

Which motives could there be for the Stuxnet virus’ behavior? This is more of a list to remember, in case more evidence of the behavior surfaces later. Note that there’s no mention of which motives I think are likely – I don’t know enough about Stuxnet or the people behind it for that.

Direct motives (possible perpetrators):

  • Plain sabotage. They simply don’t like the Iranian leadership (US, Israel, Iranian political group) the idea of an Iranian nuclear plant or nuclear enrichment program (US, Israel, environmentalist group), that particular plant (local interest group), or the nuclear plant administrative or technological leadership (disgruntled workers).
  • Creating a new Chernobyl (doomsday sects).

Indirect motives:

  • Demonstrate the possibility of disabling a nuclear plant (black/grey hats, environmentalist group).
  • Increase tension between Iran and its political opponents (Iran, US, Israel).
  • Demonstrate skill, to get hired by a government agency (highly gifted person or small group).
  • Discredit Siemens software (competitor companies like Realtek).
  • Scare people / governments into supporting more strict Internet legislation (US, UK, Iran).
  • Scare governments into investing more in “cyberwar” agencies.
  • Harvesting of secret information (US, Israel, any nation that wants nukes).
  • Other misdirection: The obvious political motive could be a cover for what is happening in Indonesia or elsewhere.

EIF replies

In response to Glyn Moody’s Open Source and Open Standards under Threat in Europe, here are the open replies to the key people (I’ll post as they are sent).

JoaquĆ­n Almunia:

Dear sir,

I have just read some disconcerting news and opinions regarding the EIF process (“Open Source and Open Standards under Threat in Europe” by Glyn Moody), and I hope you have the time to include the opinions of a software developer in your deliberations.

I have been working in private companies and the European Organization for Nuclear Research (CERN) since my graduation in 2004. I am also an active web user and contributor. This activity has taught me a few important business lessons:
1. Open source software and data based on open standards* are much more robust in the face of change than the alternative. Software is evolving fast, but if the proprietary software provider is unwilling or unavailable to make new software work with old data, the only options left are a costly and difficult re-implementation, a costly and difficult (often impossible because of data complexity) migration to other software, or outright abandonment.
2. Closed source means re-inventing the wheel over and over. Software business should be about creating additional value on top of what already exists, not about costly reiterations of what already exists.
3. With the availability of cheap Internet connectivity, storage and computing power comes the opportunity for individuals and communities to make millions of incremental improvements to software every day. These updates are available to anyone else, making for an enormous amount of work provided for free for anyone to build upon or profit from.

* I.e., software / standards which are available for free for anyone to view, modify and re-publish, optionally with additional restrictions or permissions such as the opportunity to change permissions on derivative works or the need for source attribution.

This text, and other appeals, will be available shortly at

Just received a reply. The gist:

Recently, “draft versions” of the revised EIF have apparently been published on the Internet and we understand that you refer to these draft versions. You should note that the Commission cannot comment on such draft versions as they do not reflect a formal Commission position. But let me assure you that the guiding principles for the revision of the EIF include technological neutrality and adaptability, openness and reusability, as specified in the legal base of the Programme “Interoperability Solutions for European Public Administrations” (ISA)2, in the context of which the revision is being carried out.

Ever wanted to register your protest against the baggage check insanities at the airport? You know, the one where blunt, sharp, wet and flammable things are taken away from every passenger, for ridiculous reasons*? Unless you’re a high-ranking U.S. politician, there’s not much you can do to influence directly, and using other transport is out of the question for most people.

What any passenger can do is to frustrate the system as much as possible. You can fill a little water in a used bottle, bring it along in your hand luggage, and dump it at the security check. The bigger the better, for making the garbage bags fill up and showing your sympathy with other passengers. You can also bring a bottle smaller than the limit (WTF is up with that anyway? You can bring several deciliters in total, and I don’t suppose a lot of explosives are needed to blow up a plane), go through the check, and then suggest sending it separately. Korean Air did that for me free of charge. Just make sure you’re nice about it – It’s not the airport employees’ fault.

Let’s protest in a visible way.

* For those who want to rant about how it can prevented terrorist attacks, consider this:

  • There are so many possible attack vectors, you couldn’t possibly prevent all of them. If you disallowed hand luggage, stripped every passenger down and shackled them spread-eagle on the plane, a passenger could still have explosives or pathogens in his or her body.
  • The arrangement obviously steals time. A little math will show you that if the extra procedure takes 1 minute per passenger (a very conservative estimate) then this stupidity steals 5232 years of passengers’ lives annually (according to 2006 estimate)!

Is the U.S. evil?

The reputation of the U.S. has been taking a beating for decades now, and even more so since a lying adulterer gave up his office to a lying warmonger. Let’s see if a few search engines can give us an idea of what people think…

Google gives 254 million results for good and 40.9 million results for evil, that is 86% good.

All right, but that just counts the number of pages. How about, pages that people actually read? 2294 results for good and 515 results for evil, that is 82% good.

Interesting stuff. But in all fairness, Reddit deals a whole lot more with news, and should give a better zeitgeist than all the bookmarks thrown together. Counting only stories of the last month with a score over 1 (that is, at least two persons must have voted for the story) gives 2 results for good and 8 for evil, that is 20% good. Ow!

But check out those links! That’s not proper news… Unfortunately, the Digg search gave no results whatsoever in the “World & business” category for these searches, even when searching a whole year, and no useful results in the other categories.

Anyway, it’s a bit futile to get a semantically correct view.’s thesaurus entry for the adjective “evil” lists “good” among five other antonyms, for a total of six. “Good” has a total of 19 antonyms (“Evil” is only listed in the noun definition). So how about we test with “evil” against all the other antonyms, “moral”, “righteous”, “sinless”, “upright”, and “virtuous”?

“Evil” versus “moral”, “righteous”, “sinless”, “upright”, and “virtuous” in search engines
Site Not evil Evil %Not evil
Google 39,600,000 40,900,000 49% 242 515 32%
Reddit 7 8 47%

In plain words, web pages, and bookmarked ones in particular, look a whole lot worse when looking for the “moral” antonyms of “evil”, while news stories look a whole lot better. Who’da thunk? Of course, this method doesn’t take into account spam and other #$@%. In any case, this seems to be a rubbish method for gauging public opinion.

No, I don’t have a life right now. Thank you, and good night!