Bruce Schneier's "A Hacker's Mind"

NB: This article is re-published with permission from the author, Cory Doctorow. Both Cory Doctorow and Bruce Schneier are advisory board members of the World Ethical Data Foundation. This article was originally published here:

A Hacker's Mind is security expert Bruce Schneier's latest book, released today. For long-time readers of Schneier, the subject matter will be familiar, but this iteration of Schneier's core security literacy curriculum has an important new gloss: power.

Schneier started out as a cryptographer, author of 1994's Applied Cryptography, one of the standard texts on the subject. He created and co-created several important ciphers, and started two successful security startups that were sold onto larger firms. Many readers outside of cryptography circles became familiar with Schneier through his contribution to Neal Stephenson's Cryptonomicon, and he is well-known in science fiction circles (he even received a Hugo nomination for editing the restaurant guide for MiniCon 34 in 1999).

But Schneier's biggest claim in fame is as a science communicator, specifically in the domain of security. In the wake of the 9/11 bombings and the creation of a suite of hasty, ill-considered "security" measures, Schneier coined the term "security theater" to describe a certain kind of wasteful, harmful, pointless exercise, like forcing travelers to take off their shoes to board an airplane.

Schneier led the charge for a kind of sensible, reasonable thinking about security, using a mix of tactics to shift the discourse on the subject: debating TSA boss Kip Hawley, traveling with reporters through airport checkpoints while narrating countermeasures to defeat every single post-9/11 measure, and holding annual "movie-plot threat" competitions:

Most importantly, though, Schneier wrote long-form books that set out the case for sound security reasoning, railing against security theater and calling for policies that would actually make our physical and digital world more secure – abolishing DRM, clearing legal barriers to vulnerability research and disclosure, and debunking security snake-oil, from "unbreakable proprietary ciphers" to "behavioral detection training" for TSA officers.

Schneier inspired much of my own interest in cryptography, and he went on to design my wedding rings, which are cipher wheels:

And then he judged a public cipher-design contest, which Chris Smith won with "The Fidget Protocol":

Schneier's books – starting with 2000's Secrets and Lies – follow a familiar, winning formula. Each one advances a long-form argument for better security reasoning, leavened with a series of utterly delightful examples of successful and hacks and counterhacks, in which clever people engage in duels of wits over the best way to protect some precious resource – or bypass that protection. There is an endless supply of these, and they are addictive, impossible to read without laughing and sharing them on. There's something innately satisfying about reading about hacks and counterhacks – as authors have understood since Poe wrote "The Purloined Letter" in 1844.

A Hacker's Mind picks up on this familiar formula, with a fresh set of winning security anaecdotes, both new and historical, and restates Schneier's hypothesis about how we should think about security – but, as noted, Hacker's Mind brings a new twist to the subject: power.

In this book, Schneier broadens his frame to consider all of society's rules – its norms, laws and regulations – as a security system, and then considers all the efforts to change those rules through a security lens, framing everything from street protests to tax-cheating as "hacks."

This is a great analytical tool, one that evolved out of Schneier's work on security policy at the Harvard Kennedy School. By thinking of (say) tax law as a security system, we can analyze its vulnerabilities just as we would analyze the risks to, say, your Gmail account. The tax system can be hacked by lobbying for tax-code loopholes, or by discovering and exploiting accidental loopholes. It can be hacked by suborning IRS inspectors, or by suborning Congress to cut the budget for IRS inspectors. It can be hacked by winning court cases defending exotic interpretations of the tax code, or by lobbying Congress to retroactively legalize those interpretations before a judge can toss them out.

This analysis has a problem, though: the hacker in popular imagination is a trickster figure, an analog for Coyote or Anansi, outsmarting the powerful with wits and stealth and bravado. The delight we take in these stories comes from the way that hacking can upend power differentials, hoisting elites on their own petard. An Anansi story in which a billionaire hires a trickster god to evade consequences for maiming workers in his factory is a hell of a lot less satisfying than the traditional canon.

Schneier resolves this conundrum by parsing hacking through another dimension: power. A hack by the powerful against society – tax evasion, regulatory arbitrage, fraud, political corruption – is a hack, sure, but it's a different kind of hack from the hacks we've delighted in since "The Purloined Letter."

This leaves us with two categories: hacks by the powerful to increase their power; and hacks by everyone else to take power away from the powerful. These two categories have become modern motifs in other domains – think of comedians' talk of "punching up vs punching down" or the critique of the idea of "anti-white racism."

But while this tool is familiar, it takes on a new utility when used to understand the security dimensions of policy, law and norms. Schneier uses it to propose several concrete proposals for making our policy "more secure" – that is, less vulnerable to corruption that further entrenches the powerful.

That said, the book does more to explain the source of problems than to lay out a program for addressing them – a common problem with analytical books. That's okay, of course – we can't begin to improve our society until we agree on what's wrong with it – but there is definitely more work to be done in converting these systemic analyses into systemic policies.

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.