Secrets and Lies: Digital Security in a Networked World

Newcomers to the world of Schneier will be surprised at how funny he can be, especially given a subject commonly perceived as quiet and dull. Whether he's analyzing the security issues of the rebels and the Death Star in Star Wars or poking fun at the giant software and e-commerce companies that consistently sacrifice security for sexier features, he's one of the few tech writers who can provoke laughter consistently. While moderately pessimistic on the future of systems vulnerability, he goes on to relieve the reader's tension by comparing our electronic world to the equally insecure paper world we've endured for centuries--a little smart-card fraud doesn't seem so bad after all. Despite his unfortunate (but brief) shill for his consulting company in the book's afterword, you can trust Schneier to dish the dirt in Secrets and Lies. --Rob Lightner

Product Description
Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network
Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more.
* Walks the reader through the real choices they have now for digital security and how to pick and choose the right one to meet their business needs
* Explains what cryptography can and can't do in achieving digital security

Some of the ideas aren't new. For example, I've heard members of the L0pht petition for a software Underwriter's Lab for years, and others have encouraged liability laws for software vendors. Bruce builds on these ideas and weaves them into his own prescription for dealing with complex and inherently insecure systems. This is the type of book that gives a professional the vocabulary and framework to organize his understanding of the security process. "Secrets and Lies" creates the "little voice" that warns against a vendor's promises to solve all your problems with a $30,000 box-of-wonders.

Of particular interest to me, after training in economics, is Bruce's insistence that "the buying public has no way to differentiate real security from bad security." It logicially follows that the market cannot address this problem, since "perfect information" does not exist. Therefore, outside organizations (perhaps an FDA for software?) should get involved, but not by outlawing reverse engineering and security tools.

I give five stars to books that make the complex simple, that reveal and enhance technical details, or that change the way I look at the world. This book fits two, and possibly three of those categories. Bravo, Bruce.


Excellent intro infosec book that everyone should read   September 18, 2000
J. G. Heiser (Sunninghill, Berks)
68 out of 72 found this review helpful

Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences:

Beginning security specialists

IS and other business managers who make decisions about systems deployment

Experienced security practitioners who want to improve their thinking and analysis skills

Those studying for security certification, such as the CISSP

Software and Internet product planning and marketing staff (and not just security software)

Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in "Information Security" magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don't approach it linearly, you run the risk of missing the subtleties of the author's message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.

The chapters that I found most significant included:

(6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms.

(9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems.

(12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys.

(13) Software Reliability: Best description of stack overflow that I've ever seen for a lay audience.

(22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier's other specialty, and he's written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.

I'm often asked to recommend introductory texts on information security, and unfortunately there really aren't that many good books for a newbie. If more books existed, I would probably give Schneier's book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his `epiphany' occurred only 12 months before completing the text-this isn't much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters:

(4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of `spy' or `hacker'.

(5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don't characterize audit as a requirement, but as a control.

(15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn't discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature.

(16) Security Tricks: His vehement attack on key recovery is politically extreme. The government's ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn't used an encryption product and lost a key?

(21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don't believe that putting information security risk in dollar value terms is practical.

Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than "Applied Cryptography"--it isn't a technical book--it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are "The Process of Network Security" by Thomas Wadlow, and "Fighting Computer Crime : A New Framework for Protecting Information" by Donn B. Parker (I've reviewed both here on Amazon).


A classic and 'must read' book - raises awareness   May 14, 2002
Linda Zarate (Azusa, CA United States)
24 out of 26 found this review helpful

This book introduces security and privacy to technical and non-technical readers alike. What I especially like are:

- Social aspects of security and privacy are addressed using the motives of attackers and broad profiles of attacker types, analysis of threats and countermeasures, and what it all means from legal and social perspectives.

- Easy introduction to security infrastructures. The author imparts a good deal of technical knowledge without overwhelming non-technical readers.

This book may initially disappoint technical readers who have read Mr. Schneier's earlier book (Applied Cryptography), but I can assure you that the technical underpinnings are only part of the picture. This book gives a complete view of all aspects of security, and is invaluable because it raises awareness of all issues. It's all the more valuable because it can be read and understood by a broad audience. There are two other books that I recommend in addition to this one: "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community" (Mr. Schneier wrote the preface to this book), and Richard Hunter's "World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing".


Multi-disciplinary look at security   November 9, 2001
74 out of 74 found this review helpful

Bruce Schneier covers the entire landscape of information security with this book. He balances technical and psychological aspects of security, and does so in clear prose that does not talk down to security professionals, while explaining the details to lay persons.

As a competitive intelligence specialist who is only peripherally concerned with the technical underpinnings of security I gained much from this book. Among the valuable insights are: a thorough look inside the minds of attackers and spies (state- and corporate-sponsored), an array of threats that I had not previously considered, and the motives behind attacks that are as likely to be oblique as that are to be frontal assaults. Further, I learned a lot about my own profession, especially since my job is "white-ops" (obtaining publicly available information on competitors using strictly legal means).

What I really like about this book is the clear explanations of cryptography and security infrastructure. Mr. Schneier has a talent for clearly explaining complex topics so that people like myself who have no technical background can easily understand them. Because my job is closely related to mainstream information security this alone made the book worthwhile.

I recommend this book highly to technical practitioners as well as fellow competitive intelligence specialists. Both groups will gain a broader understanding of information security from this informative, easy-to-read book.


The only holistic view of digital security in print   January 3, 2001
Mike Tarrani (Deltona, FL USA)
24 out of 24 found this review helpful

In Secrets and Lies Mr. Schneier weaves an exquisite tapestry that depicts every facet of digital security in detail and depth. The thread from which this tapestry is woven is excellent writing that is informative, entertaining and sardonic.

This book is a holistic view of security from every angle. His cogent analysis of threats, attacks and adversaries and their motivations goes deep into social and pyschological aspects of those who would breach our systems. Both blantant and subtle threats are examined in a straightforward and informative manner. Types of attacks are given the same thorough treatment. Everyone from pimple-faced hackers and wannabes, to criminals, infowarriors and government organs are profiled in a consistent manner.

Mr. Schneier's treatment of threats, attacks and adversaries shows an aspect of security that is often overlooked by the technical practitioner. This set of subjects could have been a book in itself - and a best seller at that. The main value, though, is this section of the book will enlighten the "in-the-weeds" technical specialists about a much wider set of issues associated with digital security.

The treatment of technology shows that the author not only deeply understands risks and the human side of security, but is also a master of the technical underpinnings. Every major technical facet of the security business is explained in a clear manner. One of the book's strengths is that it delivers clear explainations of complex techical topics in such a way that non-technical people can easily understand. As such it gives an understanding of security to those who most need it - key decision makers and executive management.

As someone who works in the field of e-commerce security I strongly recommend that my technical peers, clients and executive management read this book. Read it twice, in fact - read it the first time to gain an appreciation for just how complex the practice of digital security really is, and the second time to catch the plethora of sage advice and subtle hints that the author has sprinkled through this excellent book.