Secrets and Lies: Digital Security in a Networked World by Bruce Schneier
Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more. * Walks the reader through the real choices they have now for digital security and how to pick and choose the right one to meet their business needs * Explains what cryptography can and can't do in achieving digital security
Bruce Schneier is the founder and CTO of Counterpane Internet Security, Inc., the recognized leader in network security services. The bestselling author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World and Applied Cryptography, he is an internationally respected security expert.
Read an Excerpt
Chapter 1: Introduction
During March 2000, I kept a log of security events from various sources. Here are the news highlights:
Someone broke into the business-to-business Web site for SalesGate.com and stole about 3,000 customer records, including credit card numbers and other personal information. He posted some of them on the Internet.
For years, personal information has "leaked" from Web sites (such as Intuit) to advertisers (such as DoubleClick). When visitors used various financial calculators on the Intuit site, a design glitch in the Web site's programming allowed information they entered to be sent to DoubleClick. This happened without the users' knowledge or consent, and (more surprising) without Intuit's knowledge or consent.
Convicted criminal hacker Kevin Mitnick testified before Congress. He told them that social engineering is a major security vulnerability: He can often get passwords and other secrets just by pretending to be someone else and asking. A Gallup poll showed that a third of online consumers said that they might be less likely to make a purchase from a Web site, in light of recent computer-security events. Personal data from customers who ordered the P1ayStation 2 from the Sony Web site were accidentally leaked to some other customers. (This is actually a rampant problem on all sorts of sites. People try to check out, only to be presented with the information of another random Web customer.)
Amazon.com pays commissions to third-party Web sites for referrals. Someone found a way to subvert the program that manages this, enabling anyone to channel information to whomever. It is unclear whether Amazon considers this a problem. The CIA director denied that the United States engages in economic espionage, but did not go on to deny the existence of the massive intelligence-gathering system called ECHELON.
Pierre-Guy Lavoie, 22, was convicted in Quebec of breaking into several Canadian and U.S. government computers. He will serve 12 months in prison.
Japan's Defense Agency delayed deployment of a new defense computer system after it discovered that the software had been developed by the members of the Aum Shinrikyo cult.
A new e-mail worm, called Pretty Park, spread across the Internet. It's a minor modification of one that appeared last year. It spreads automatically, by sending itself to all the addresses listed in a user's Outlook Express program.
Novell and Microsoft continued to exchange barbs about an alleged security bug with Windows 2000's Active Directory. Whether or not this is a real problem depends on what kind of security properties you expect from your directory. (I believe it's a design flaw in Windows, and not a bug.)
Two people in Sicily (Giuseppe Russo and his wife, Sandra Elazar) were arrested after stealing about 1,000 U.S. credit card numbers on the Internet and using them to purchase luxury goods and lottery tickets.
A hacker (actually a bored teenager) known as "Coolio" denied launching massive denial-of-service attacks in February 2000. He admitted to hacking into about 100 sites in the past, including cryptography company RSA Security and a site belonging to the US. State Department.
Attackers launched a denial-of-service attack against Microsoft's Israeli Web site. Jonathan Bosanac, a.k.a. "The Gatsby," was sentenced to 18 months in prison for hacking into three telephone company sites...
"...this book is of value to anyone whose business depends on safe use of email, the Web, or other networked communications" and "belongs in every manager's library." Business Week
"Schneier...peppers the book with lively anecdotes and aphorisms, making it unusually accessible." Los Angeles Times
Schneier "offers a primer in practical computer security aimed at those shopping, communicating or doing business onlinealmost everyone, in other words." The Economist
Schneier is "one of the foremost experts on computer security" and his 1995 Wiley book Applied Cryptography is "the landmark text on the security hazards of the Internet." Time Out New York
Schneier "gives the state of the art on corporate security." thestandard.com
Schneier "wrote the book on applied cryptography" Information Security
Secrets & Lies is "a written, well researched exploration of digital security as a system." slashdot.com
"Although Schneier's style is lively and spiced with unusual vocabulary (try looking up banausic and flagitious in your Funk and Wagnalls), no one is going to pick up this book for the sake of a a good read. They want the information contained therein." eWEEK.com
"In Secrets and Lies the things that actually go wrong are explained by lots of concrete examples, some stunning." New Scientist
"Schneier's book is an excellent read.... He understands the issues and the issues behind the issues." Bill Machrone
Review Anne Fisher calls Secrets and Lies "a jewel box of little surprises you can actually use" and refers to the book as "a startlingly lively treatise." Fortune, November 27, 2000, p. 304
"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun.." New Scientist, 2nd September 2000
I have written this book partly to correct a mistake.
Seven years ago I wrote another book: Applied Cryptography. In it, I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions-unregulated gambling, undetectable authentication, anonymous cash-safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics."
It's just not true. Cryptography can't do any of that.
It's not that cryptography has gotten weaker since 1994, or that the things I described in that book are no longer true; it's that cryptography doesn't exist in a vacuum.
Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.
Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible.
The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty naive.
Theresult wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography.
Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: "Security is a chain; it's only as secure as the weakest link." "Security is a process, not a product."
Any real-world system is a complicated series of interconnections. Security must permeate the system: its components and connections. And in this book I argue that modern systems have so many components and connections-some of them not even known by the systems' designers, implementers, or users-that insecurities always remain. No system is perfect; no technology is The Answer.
This is obvious to anyone involved in real-world security. In the real world, security involves processes. It involves preventative technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. And if we're ever going to make our digital systems secure, we're going to have to start building processes.
A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
This book is about those security problems, the limitations of technology, and the solutions.
Read this book in order, from beginning to end.
No, really. Many technical books are meant to skim, bounce around in, and use as a reference. This book isn't. This book has a plot; it tells a story. And like any good story, it makes less sense telling it out of order. The chapters build on each other, and you won't buy the ending if you haven't come along on the journey.
Actually, I want you to read the book through once, and then read it through a second time. This book argues that in order to understand the security of a system, you need to look at the entire system-and not at any particular technologies. Security itself is an interconnected system, and it helps to have cursory knowledge of everything before learning more about anything. But two readings is probably too much to ask; forget I mentioned it.
This book has three parts. Part 1 is "The Landscape," and gives context to the rest of the book: who the attackers are, what they want, and what we need to deal with the threats. Part 2 is "Technologies," basically a bunch of chapters describing different security technologies and their limitations. Part 3 is "Strategies": Given the requirements of the landscape and the limitations of the technologies, what do we do now?
I think digital security is about the coolest thing you can work on today, and this book reflects that feeling. It's serious, but fun, too. Enjoy the read.
Secrets and Lies: Digital Security in a Networked World 4.9 out of 5based on
More than 1 year ago
This is one of the two books i think really formed my view if Information Security. Between 'Secrets and Lies', and 'Inside the Security Mind', I think we are ushering in a new age of Infosec books.
More than 1 year ago
This book looks to be extremly delightful, I think it would be a great book for anyone that has any doubt about their security in this digital world we call the internet, people just wanting to learn about security, or even just home users that would like to know how computer security works. GO BUY IT NOW!
More than 1 year ago
After reading this text, I now understand more about online security and how people do the good and bad things that they do online. This work definitely makes think about what you do when shopping online.
More than 1 year ago
Mr. Schneier has made an invaluable contribution to the new economy. He has written a very readable book that explains, in very plain English, the internet and network security issues with which everyone who has ever read or sent an email should be familiar. The book flows smoothly enough for you to read it at the beach, yet it contains so much critical information that after finishing it, you should bring it back to your office. The most compelling parts of the book point out the similarities and differences between security issues in the bricks and mortar world and the digital world.
More than 1 year ago
I got about 40 pages into it over dinner and decided it was ready for the mandatory reading list here. If only it was required reading for everyone who does business online...
More than 1 year ago
_Secrets and Lies_ is a necessary book for everyone who wonders about privacy and security on the Internet--that is to say, everyone. Schneier discusses the threats in cyberspace, the technologies to combat them, and (most importantly) the strategies that make those technologies work. It's not surprising that the technical information is solid. What might be surprising to some, though, is how lucid and funny Schneier's writing is. He doesn't talk down to readers, but you don't have to be a complete techie to understand what he's saying. Schneier's discussion of where things are and where they're going is fascinating and informative. I was especially interested by the legal stuff--many of the laws designed to enhance security and privacy actually damage it. Read this book, make your boss read it, make your IT manager read it, and send a copy to your congresscritter. It might just help make the Net safer.
More than 1 year ago
I have just finished reading Schneier's most recent book - what an excellent piece of writing. I read it cover to cover and enjoyed almost every page. A very different approach than you took with Applied Cryptography which I also enjoyed.
Praise for the Third Edition“Future mathematicians, scientists, and engineers should find the book to be
an excellent introductory text for coursework or self-study as well as worth its shelf space for reference.” —MAA Reviews Applied Mathematics, Fourth Edition is a ...
Up-to-the-minute observations from a world-famous security expertBruce Schneier is known worldwide as the foremost authority
and commentator on every security issue from cyber-terrorism to airport surveillance. This groundbreaking book features more than 160 commentaries on recent events including the Boston ...
Turn ordinary photographs into striking works of art Mastering the craft of composing a photograph
is all about having a trained eye. Digital Photography Composition For Dummies helps emerging photographers create stunning and compelling photographs by teaching the elements, techniques, ...
Take photos like a pro without breaking the bank by using FREE and nearly FREE
software and hardware explained in this book. Get professional looking shots from a low-cost camera Save money by building your own lighting rigs, tripods, monopods ...
This book uses MATLAB as a computing tool to explore traditional DSP topics and solve
problems. This greatly expands the range and complexity of problems that students can effectively study in signal processing courses. A large number of worked examples, ...
Fixed income practitioners need to understand the conceptual frameworks of their field; to master its
quantitative tool-kit; and to be well-versed in its cash-flow and pricing conventions. Fixed Income Securities, Third Edition by Bruce Tuckman and Angel Serrat is designed ...
This textbook will be designed for fixed-income securities courses taught on MSc Finance and MBA
courses. There is currently no suitable text that offers a 'Hull-type' book for the fixed income student market. This book aims to fill this need. ...
A comprehensive guide to the current theories and methodologies intrinsic to fixed-income securitiesWritten by well-known
experts from a cross section of academia and finance, Handbook of Fixed-Income Securities features a compilation of the most up-to-date fixed-income securities techniques and methods. ...