In Schneier as a technology leader Dave Winer reacts to this comment about SOAP made by Bruce Schneier at the 2002 Emerging Technology conference: “SOAP is a firewall-friendly protocol like a bullet is skull-friendly.” I’m pretty sure that was the quote because I jotted it down in the notes I took that day. It’s funny how things change. Back then, during the first flush of excitement about web services, SOAP was how the tech industry imagined web services would talk to one another. And REST was, as it still is, how in most cases they actually do talk to one another.
If REST had SOAP’s approval rating back then, Schneier might as easily have said: “REST is firewall-friendly like a bullet is skull-friendly.” That would have been equally true. And equally irrelevant. Because as it turns out, enabling web services to tunnel “securely” through HTTPS is the least of our concerns. If governments have compromised the endpoints, and/or the encryption protocol itself, all bets are off.
In Dave Winer’s notes from that 2002 talk he wrote:
Jon Udell, who I respect enormously said that Schneier was the leading authority on security. My impression, and it’s just an impression, is that this kind of praise has gone to his head.
Dave’s recollection of that conference is accurate. Bruce was snarky. He did bash Microsoft. He also put forward the visionary idea that we can best secure computer networks by managing risks the way the insurance industry does. That was a conclusion he reached after fundamentally rethinking his own long-held assumptions about the capabilities and relevance of cryptography. In my review of his book Secrets and Lies, which describes that intellectual journey, I wrote:
It’s a rare book that distills a lifetime of experience. It’s a rarer one that chronicles the kind of crisis and transformation that Bruce Schneier has undergone in the last few years. He’s emerged with a vital perspective. Cryptography is an amazingly powerful tool, but it’s only a tool. We need to use it for all it’s worth. But at the same time we have to be clear about its limitations, and locate its use within a real-world context that is scarier and more complicated than we dare imagine.
The people I most respect nowadays are those who can change their minds in response to new information and changing circumstances. In 2000, when Secrets and Lies was published, we didn’t dare imagine that our worst adversaries were elements of our own governments. Now that we know that’s true, can Bruce Schneier help lead the way forward? I hope so. And while I agree that a snarky attitude can be a problem, if deployed carefully in the right context — say, a congressional hearing — it might come in handy.