Schneier on Security

UPDATE: Just found out that most of the book was actually copyright 2000, even more impressive!

I just finished reading Secrets and Lies: Digital Security in a Networked World and wanted to write up some of my thoughts while it was still fresh in my mind. The book was published in early 2004, hundreds of years ago in tech-time. However I was really surprised at just how pertinent it still is.

This book was written before Stuxnet, before the PRISM scandal…heck, the book was written BEFORE FACEBOOK, yet after reading Secrets and Lies I feel like Bruce Schneier saw them coming from a decade away. Like a Digital Nostradamus…

I have been reading Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World for some time now. Why it took me so long to finally read it, I don’t know – any security geek worth his salt needs the background this book provides. Granted, technology has changed and advanced since this book was first published in 2000, making some of the examples irrelevant in today’s environment, but the basics of security that they illustrate have not.

In Chapter 24, Mr. Schneier outlines and explains security processes in depth and states the obvious that most of us either never think about or take for granted:…

I’m not sure how I first heard about Bruce Schneier, but his ideas have appealed to me for a while now. He has an impressive background in computer cryptography, but his transition to a personality in the field of security that interests me most. Utilizing a technical background to build a more socially-relevant identity is a feat I personally hope to accomplish one day (just like Tony Stark, “Mannie” O”Kelly-Davis, or Mitchell Hundred). But enough gushing; let’s talk about the book.

First of all, I bought Secrets & Lies expecting the kind of social commentary Schneier makes when writing about “security theater.” This is not that book. The author is clearly still developing his voice here; his focus is still largely on technology. Apart from a single brief aside on how people internalize sensational threats, this book provides little in the way of sociology…

Everyone knows Bruce Schneier (at least everyone reading my blog); to begin with, this is not a technical book about cryptography, it’s a book that wants to give almost the exact opposite message, that is that cryptography by itself cannot do much since security is comprised by numerous factors. This book was a present of a friend of mine and just for your information, this review/overview was written by reading it just once despite B. Schneier’s suggestion of reading it at least twice in order to understand the message “between the lines”. In any case, here it is……

Secrets & Lies provides interested readers with a guide for understanding the environment in which computer security must reside, the technical tools for implementing security, and a strategic approach for that security. Although the book was published in 2000, most of what Schneier presents is relevant today. The paperback edition includes a preface by the author addressing the time withstanding themes of security in light of the attacks of 9/11. The author breaks the text into three sections: The Landscape, Technologies, and Strategies.

The first section of the book provides the context in which security is discussed. In the introductory chapter, Schneier sets the scene by listing security events, software vulnerabilities, and website defacements that made the news in March 2000. In this chapter, the author argues, “…the reason that it is so hard to secure a complex system like the Internet is, basically, because it’s a complex system.” In the following four chapters, the author describes digital threats, attacks, adversaries, and security needs. Schneier articulates the ways in which digital security is different from other types of security. He then gives attack scenarios ranging from denial of service attacks, to surveillance, to legal attacks. Adversaries are categorized as lone criminals, the press, organized crime, the police, terrorists, national intelligence organizations and info-warriors. Finally, in this section, Schneier describes security needs in terms of privacy, anonymity, authenticity, and integrity…

“That is a good book to give to your boss so that his boss will see him reading it and think that he’s getting a clue,” said the geek beside me at the coffee shop where we were both working wirelessly.

”But to me, this book is just the right thing,” I answered. ”Look, Schneier not only covers all the bases, but he’s a very clear writer and he‘s witty to boot.”

“No code, no real book,” grumbled the geek.

”It is exactly his sticking to concepts that makes the book work for such a variety of readers. Look, you could give this book to someone who thinks that setting up a home firewall has made his cable-modem connected PC secure or to someone interested in being on top of security issues or even to someone who only surfs the net but wonders what dangers lurk there. None of them would be ill served. And all of them would be enlightened…

If you think technology can solve your security problems, then you don’t understand the problems and you don ‘t understand the technology.

So sayeth Bruce Schneier, the guru in security systems circles. His statements are often blunt but he certainly backs them up with the right credentials. He authored one of the classic texts on cryptography (Applied Cryptography) and BLOWFISH , one of the most frequently used encryption algorithms used in business systems today. BLOWFISH is the algorithm used in the PRIMAR Security System. Although Schneier’s first book, …

There are a lot of misconceptions about computer security, and a lot of unrealistic expectations about what is and is not possible. The truth is that completely reliable computer systems are impossible to achieve, and secure computer and networking systems are equally impossible. When this is understood, one is, at last, in a position to recognize risk and manage it.

Secrets and Lies gives the clearest explanation we have yet seen as to the fundamental problems faced when dealing with technology. If you are responsible, directly or indirectly, for data security, you need to understand that it is impossible to make a program that is error-free. In addition, as programs become larger, more complex, and more connected with other programs on other machines, they become even more prone to errors and to errors caused by interactions among systems…