Review: Secrets & Lies by Bruce Schneier
I’m not sure how I first heard about Bruce Schneier, but his ideas have appealed to me for a while now. He has an impressive background in computer cryptography, but his transition to a personality in the field of security that interests me most. Utilizing a technical background to build a more socially-relevant identity is a feat I personally hope to accomplish one day (just like Tony Stark, “Mannie” O”Kelly-Davis, or Mitchell Hundred). But enough gushing; let’s talk about the book.
First of all, I bought Secrets & Lies expecting the kind of social commentary Schneier makes when writing about “security theater.” This is not that book. The author is clearly still developing his voice here; his focus is still largely on technology. Apart from a single brief aside on how people internalize sensational threats, this book provides little in the way of sociology.
That said, Schneier paints a reasoned and cogent picture of computer security. He also takes pains to demonstrate just how many aspects of computer security are not novel, exemplifying with analogues in other contexts. This makes the book a great read for someone who is not comfortable with concepts like network protocols and program execution.
Many of these concepts are not new to me, but I was pleased to learn about one aspect of security that I never quite understood: certificate authorities. I think a working knowledge of how trust works on the web is useful for anyone routinely using it.
It is worth mentioning that Schneier has a good sense of humor. Given the subject matter and background of the author, it is easy to imagine a book like this being extremely dry or emotionless. Thankfully, the author peppers the book with enough bizarre scenarios and case studies to keep things light.
Originally published in 2000, Secrets & Lies is beginning to show its age. While the basic principles Schneier espouses hold true to this day, many of the examples could definitely use an update. Windows NT is heavily mined for examples of bad security practices but difficult to relate to today. Today, entities like Anonymous have merged the concept of “script kiddies” with the distributed denial-of-service attack model. Schneier covers both of these topics in detail, but their combination is worth discussing. While this cannot be held against the book (which is almost prescient in some areas), it leaves one wanting for more current examples. (Fortunately, the author maintains a monthly newsletter providing exactly this kind of up-to-the-moment coverage.)
Schneier concludes the book with an excellent discussion on risk management. Although it is emotionally gratifying to end on a positive note, it does not feel like the author is playing our heart strings with this organization. The topic follows quite logically from the previous chapters, and serves as an excellent thesis for the book. Unfortunately, the author takes time to draw parallels between this thesis and his newly-formed security company. This tinges the conclusion with a feeling of advertising copy and ultimately weakens it.
As mentioned earlier, I started this book expecting commentary from the mind that coined the term “security theater.” While I was disappointed in that regard, I am still happy to have read this book and eager to pick up the next.