Secrets and Lies by Bruce Schneier: A Shockwave Review
The internet is growing up and, like a small child becoming an adolescent, it’s having growing pains. Fortunately, we have Bruce Schneier to act as our technological Dr. Spock.
The internet has moved from a Defense Department initiative to a toy for geeks to a powerful research and communications tool and is now a major economic force. Up until recently, the net was pretty much left alone. With the advent of the World Wide Web and faster connections speeds, commerce came to the net. Now, it takes big money just to start a net company. We need to treat the net like an young adult, even though the technology is still in its infancy.
Schneier has a background in cryptography, and has written several books on the subject. Cryptography was supposed to be the way that the net would be secure. With proper cryptography, went the theory, you could send credit card information and other personal data over the net without fear of eavesdroppers.
Well, that’s not quite how it works. In his latest book, Secrets and Lies, Schneier meticulously details many of the problems with internet security, and offers many solutions. This is a must read book for anyone involved in computer security. It’s easy for a layman to read. He doesn’t start using geek terms until chapter five. Schneier writes with insider knowledge without sounding like he’s spent his whole life in front of a monitor.
The main thesis of Secrets and Lies: Internet security should be treated like security for any other entity where money and reputations are involved. Banks have armed guards, cameras and thick vaults to store currency, yet banks are robbed all the time.
It’s highly entertaining, full of Schneier’s wit and ability to pluck examples from other areas. He effortlessly moves from Aldrich Ames to Herodotus to Federal Express to Star Wars to rigged elections. Not all areas of computer security are seen as problems by everyone. As he points out, since before the advent of internet commerce: “There’s a fine line between good customer service and stalking”. (p32) You and Microsoft have very different views of what constitutes a ‘problem’.
Computers and computer networks are subject to many of the same problems as any other Big Business. Your credit card number may be transmitted securely over the net, but that won’t prevent some insider from going to the computer and transferring all the files onto floppy. It won’t prevent someone looking over your shoulder as you type in the number. As Schneier puts it, “Compared to the physical world, cyberspace is both exactly the same and very different.” (p384)
The two main differences in computer security (vs. bank security) are Automation and Action At A Distance. Once someone figures out how to break into a system, all he has to do is write a little program to do it and e-mail it or post it on the web. All of a sudden, everyone and her sister has access to the same way to break security. The person who causes all the damage may not even know the original scripter, and may not even know who he is. It only takes one person to figure out how to hack a system and spread the word.
The second difference is Action At A Distance. Last year’s attack on CNN, Yahoo and others, which made big headlines, turned out to be done by this 16 year old in the Philippines. Aside from the fact that the Philippines had no laws on the books making this illegal, he didn’t affect anything in that country anyway. He was eventually let go, after costing millions in lost revenue in the US.
While computers and the internet have unique aspects to them, they are also subject to the frailties of any human endeavor. Your teenage son can use your credit card to buy things over the net, just as he could in person at the mall if the cashier doesn’t check too closely. People can guess your password. The same crooks who market counterfeit Jordache Jeans will spend the bucks to break the copy protection of Photoshop.
Schneier expertly takes you through some security breaches that have already happened, what lapses in security exist now, how to do Threat Modelling and Risk Assessment of your own system, and speculates on what you can do about it. Just as banks continue to get robbed, there WILL be attacks on computers and networks. You may think you’re doing fine behind a firewall, but you’re missing a lot, and it WILL cost you. With Secrets and Lies, Bruce Schneier lets you know what types of threats are out there and how you can ameliorate the pain.
Just like Dr. Spock.