Secrets & Lies: Digital Security In A Networked World
Bruce Schneier, well-known security and encryption expert, and author of Applied Cryptography has recently had his newest book published, entitled Secrets & Lies: Digital Security in a Networked World, which explores the world of security as a system. Read the entire review below.
Secrets & Lies: Digital Security in a Networked World
author: Bruce Schneier
publisher: John Wiley & Sons, 09/2000
reviewer: Jeff “hemos” Bates
summary: A well written, well researched exploration of digital security as a system.
I’ve recently had the pleasure of reading Bruce Schneier’s latest writing effort Secrets and Lies: Digital Security in a Networked World. A number of our readers may remember his prior book Applied Cryptography , which discussed the use of cryptography in our brave new digital world, and how the use of cryptography would make things secure.
This time around, Schneier is much more circumspect about the uses and application of cryptography. As he states in the introduction and throughout the book, when writing AC, he thought that the use of cryptography would make things more secure. He was correct – but the lesson he learned while working with companies and individuals, that we can’t just add cryptography into a system and make it secure, but that systems must be designed from the bottom-up with security in mind. S&L draws upon a huge amount of experience working in the security field, making one central point: Any system, no matter how good the cryptography is, is only as strong as the weakest link. Yes, that’s an old cliche, but it’s one that bears repeating.
What makes it even more imperative to design system to be secure is the sheer amount of systems that aren’t secure, and what the means for us. Some of the examples Schneier uses in S&L are simply frightening to consider were they to occur. And some of his ideas about what will come, and the tools we have will make you want to keep a good stash of gold Krugerrands under your mattress.
Indeed, as he talks about in the introduction, part of the reason this book too so long to write was because he was depressed at the world of security around him. Looking at what companies were doing, at what people were doing, and the sheer amount of systems holes out there must be depressing – but it only drives home the point even moreso that we must design *systems* not just adding cryptography and thinking that’s the magic pixie dust that can make everything better.
The book does an exceptional job of wending its way through various security measures, how they work, and how they fail. IMHO, one of the real strengths of this book is that it’s something that a cryptography novice could read, as well as an expert. Certain sections of the book are dedicated to the nitty gritty behind systems, but there are also sections that are dedicated to simply laying out the process by which one should approach the systems. Indeed, the support blurb on the dust jacket is written by Jay S. Walk, the founder of priceline.com. This adds to the strength of the claim that the book can be for everyone.
Schneier is intimately involved with the security community – besides being the creator of the [Blowfish] and [Twofish] encryption algorithms and a frequent speaker at technical conferences, his company deals with this day in and day out. More to the point for a book, he can also write. It makes reading about Product Testing and Verification (Chapter 22) rather than a snooze, a treat. The book is one of those rare cross-overs – something to give your geek friends, and your [PHB], all of whom will appreciate it. The breadth of the book is revealed in the contents (Duh) and it’s a good mixture of all the necessary elements. You’ll learn about entropy in a system as well as Attack Trees, Threat Modeling and what all of this stuff means in day-to-day life.
I wholeheartedly recommend this book.