The Barnes & Noble Review
Finally in paperback: what may be the world’s most thoughtful guide to computer and network security. Bruce Schneier’s Secrets and Lies is for anyone who needs to address security: businesspeople and technical people alike.
Schneier begins with a paradox: “Even as we learn more about security... we build things with less security.” This book explains why -- and what can (and can’t) be done about it.
The problem starts with systems. They’re complex. They interact. They’re buggy. And they have “emergent” properties their creators never anticipated. The best (if imperfect) response: prevention, detection, and reaction. (Most networks rely primarily on prevention. Not enough.)
Schneier then explains why attacks are becoming more frequent, widespread, automated, and difficult to track. What to do? Working from the premise that technology isn’t nearly everything, he carefully explains today’s key security technologies. Never expected to understand public-key encryption or digital signatures? You finally will.
Today’s most common attacks are covered; so are the best available responses (often far from foolproof). There’s also a brutally realistic chapter on the human side of computer security: how people perceive risks, the futility of asking them to make intelligent security decisions, and the dangers of “social engineering.”
Part III is dedicated to high-level response strategies -- including Schneier’s own “attack trees” technique, the first systematic way to describe threats, countermeasures, and overall security.
Schneier’s updated this edition with a new introduction: “What Has Changed Since 9-11.” Like the rest of this book -- and his many public writings on homeland security -- it’s very much worth reading. Bill Camarda
Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.
Read an Excerpt
Chapter 1: IntroductionDuring March 2000, I kept a log of security events from various sources. Here are the news highlights:
Someone broke into the business-to-business Web site for SalesGate.com and stole about 3,000 customer records, including credit card numbers and other personal information. He posted some of them on the Internet.
For years, personal information has "leaked" from Web sites (such as Intuit) to advertisers (such as DoubleClick). When visitors used various financial calculators on the Intuit site, a design glitch in the Web site's programming allowed information they entered to be sent to DoubleClick. This happened without the users' knowledge or consent, and (more surprising) without Intuit's knowledge or consent.
Convicted criminal hacker Kevin Mitnick testified before Congress. He told them that social engineering is a major security vulnerability: He can often get passwords and other secrets just by pretending to be someone else and asking. A Gallup poll showed that a third of online consumers said that they might be less likely to make a purchase from a Web site, in light of recent computer-security events. Personal data from customers who ordered the P1ayStation 2 from the Sony Web site were accidentally leaked to some other customers. (This is actually a rampant problem on all sorts of sites. People try to check out, only to be presented with the information of another random Web customer.)
Amazon.com pays commissions to third-party Web sites for referrals. Someone found a way to subvert the program that manages this, enabling anyone to channel information to whomever. It is unclear whether Amazon considers this a problem. The CIA director denied that the United States engages in economic espionage, but did not go on to deny the existence of the massive intelligence-gathering system called ECHELON.
Pierre-Guy Lavoie, 22, was convicted in Quebec of breaking into several Canadian and U.S. government computers. He will serve 12 months in prison.
Japan's Defense Agency delayed deployment of a new defense computer system after it discovered that the software had been developed by the members of the Aum Shinrikyo cult.
A new e-mail worm, called Pretty Park, spread across the Internet. It's a minor modification of one that appeared last year. It spreads automatically, by sending itself to all the addresses listed in a user's Outlook Express program.
Novell and Microsoft continued to exchange barbs about an alleged security bug with Windows 2000's Active Directory. Whether or not this is a real problem depends on what kind of security properties you expect from your directory. (I believe it's a design flaw in Windows, and not a bug.)
Two people in Sicily (Giuseppe Russo and his wife, Sandra Elazar) were arrested after stealing about 1,000 U.S. credit card numbers on the Internet and using them to purchase luxury goods and lottery tickets.
A hacker (actually a bored teenager) known as "Coolio" denied launching massive denial-of-service attacks in February 2000. He admitted to hacking into about 100 sites in the past, including cryptography company RSA Security and a site belonging to the US. State Department.
Attackers launched a denial-of-service attack against Microsoft's Israeli Web site. Jonathan Bosanac, a.k.a. "The Gatsby," was sentenced to 18 months in prison for hacking into three telephone company sites...
What People are saying about this
From the Publisher
"...this book is of value to anyone whose business depends on safe use of email, the Web, or other networked communications" and "belongs in every manager's library." Business Week
"Schneier...peppers the book with lively anecdotes and aphorisms, making it unusually accessible." Los Angeles Times
Schneier "offers a primer in practical computer security aimed at those shopping, communicating or doing business onlinealmost everyone, in other words." The Economist
Schneier is "one of the foremost experts on computer security" and his 1995 Wiley book Applied Cryptography is "the landmark text on the security hazards of the Internet." Time Out New York
Schneier "gives the state of the art on corporate security." thestandard.com
Schneier "wrote the book on applied cryptography" Information Security
Secrets & Lies is "a written, well researched exploration of digital security as a system." slashdot.com
"Although Schneier's style is lively and spiced with unusual vocabulary (try looking up banausic and flagitious in your Funk and Wagnalls), no one is going to pick up this book for the sake of a a good read. They want the information contained therein." eWEEK.com
"In Secrets and Lies the things that actually go wrong are explained by lots of concrete examples, some stunning." New Scientist
"Schneier's book is an excellent read.... He understands the issues and the issues behind the issues." Bill Machrone
Review Anne Fisher calls Secrets and Lies "a jewel box of little surprises you can actually use" and refers to the book as "a startlingly lively treatise." Fortune, November 27, 2000, p. 304
"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun.." New Scientist, 2nd September 2000