Security out of Obscurity

Secrets and Lies by Bruce Schneier, John Wiley, £19.50, ISBN 0471253111

An exceptional amount of disinformation plagues the world of information security. For decades spies obstructed the "proliferation" of cryptographic and security know-how. This made their job of snooping far easier.

When in 1993 I tried to organise a research programme in computer security, cryptography and coding theory, a spook in a suit approached the institute involved. He told the director that "There's nothing interesting happening in cryptography, and Her Majesty's government would like this state of affairs to continue." To his great credit, the director spilled the beans; the institute's reaction guaranteed our funding.

As everything goes online, the issue of information security now concerns everyone. And information security is about power, make no mistake: the power to grant or deny access to a resource.

Now the public cares far more about the issues, and information technology is empowering them. The PC lets people balance their bank accounts and verify that the bank's computer hasn't accidentally added a point to the interest rate. The contempt that many insurers and hospitals had for medical privacy became clear as soon as they had to compete with GPs to control the electronic health record. Government surveillance became a live issue once e-mail made it practical for individuals to evade it.

Bruce Schneier's Secrets and Lies attempts to explain these conflicts and the underlying technologies to the general reader. The recent debate in Britain over the Regulation of Investigatory Powers Bill showed the need for explanations-or at the very least metaphors-that could be grasped by the general public.

Schneier has the right background. As well as scientific papers, he wrote Applied Cryptography, which explains modern cryptography to the working engineer-and sold more than 100 000 copies. It portrayed cryptography as the essential technology for protecting networked systems.

He then set up a security consultancy-and discovered that the things that go wrong with real systems usually have little to do with the mathematical strength of encryption methods. People encrypt the wrong things, encrypt them the wrong way or simply leave the back door open.

Worse, it is unrealistic to expect a company to spend a lot on security if its customers bear the risks of fraud. The business ethos that impels companies to contract their systems management to outsiders poses a greater threat than any number of "evil hackers on the Internet".

In Secrets and Lies, the things that actually go wrong are explained by lots of concrete examples, some stunning. Schneier illustrates the subtleties of "false accept" versus "false reject" rates in intrusion-detection with a trick the Mujahideen used in Afghanistan. They hurled rabbits over the fences of Russian bases to set off the perimeter alarms. Once the Russians gave the alarm system up for broken, the Mujahideen attacked. He adds phone frauds and fake automated cash machines to his tales of classic commercial frauds, before scrutinising the modern "e-variants".

Schneier's thesis is that human nature won't change-and that there's not much new under the Sun. As he puts it, "The future is like the past, except with cooler special effects." This is reassuring: a legal system that worked in the past is likely to work in the future. Much of the current policy panic is unnecessary.

Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun. It may even give people the courage to think about protection mechanisms and policies at the system level-and then challenge organisations that claim some outrageous imposition is necessary "for security".

Ross Anderson leads the security team at the Computer Laboratory, University of Cambridge.

Categories: Book Reviews, Secrets & Lies, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.