Put Not Your Trust in Maths
Secrets and Lies: Digital Security in a Networked World.
By Bruce Schneier.
John Wiley & Sons; 432 pages; $29.99 and £19.50
WHEN an acknowledged expert suddenly announces that his previous views are completely wrong, it is time to take notice. That is exactly what Bruce Schneier, an authority on computer security, has just done in "Secrets and Lies". Like many in his field, he used to be beguiled by the mathematics of cryptography, and believed that, with enough fancy encryption and authentication, it was possible to build a totally secure system—a mathematical utopia he described in a previous book, "Applied Cryptography", which became a standard work. But Mr Schneier now believes that he was wrong, and "Secrets and Lies" is his bid to correct this mistake.
Cryptography, he writes, does not exist in a vacuum; in the real world, computer security systems rely on buggy or unstable software and hardware, and their users are erratic, capricious and unreliable. Putting his trust in mathematics alone, Mr Schneier has now realised, was naive. Since no system can ever be totally secure, computer security is about minimising risk, detecting intrusions, and tracking down the perpetrators. And that is what his book is about. Instead of talking algorithms to geeky programmers, he offers a primer in practical computer security aimed at those shopping, communicating or doing business online—almost everyone, in other words.
It sounds like dry stuff, but Mr Schneier's many examples constitute a litany of disaster, fiasco, foul-up and fraud that would be hilarious were the consequences not so serious. Mr Schneier is an engaging guide to the computer-security underworld, sprinkling his chatty prose with historical references, explaining why Galileo was a hacker but Aristotle wasn't, and quoting all-comers from Genghis Khan to Luke Skywalker.
He outlines the various kinds of attacks, break-ins, hacks and "exploits", and describes the attackers themselves, from clueless "script kiddies" to organised criminals. He examines and explains the various security technologies that exist, and what they can and cannot do. Finally, he looks at what companies can do to protect themselves. Given the author's new-found pragmatism about the limits of security technology, his conclusion is not exactly heartening—but getting there is certainly entertaining.