Secrets and Lies: Digital Security in a Networked World [Paperback]

This is an excellent book, very approachable, especially for undergraduates. Not ideally structured to be a text book, but then there's not many text books that you'd want students to read from beginning to end, every word. Our students even get to try out some of the defensive mechanisms on an isolated network, and this book tells them of many of the possible pitfalls to guard against, and gives them some idea of just how big and how important a job it is.

Look forward to a generation of security-aware computer science graduates, with a fair bit of help from Mr Schneier and his books!

Although many are engaged in industrial espionage on behalf of indigenous industries - particularly the French and Chinese secret services, according to Schneier - for the most part, their targets are normally other governments. And often, as the book illustrates, private companies collude: "Crypto AG, a Swiss company, sells encryption hardware to a lot of Third World governments. In 1994, one of their senior executives was arrested by the Iranian government for selling 'bad' cryptographic hardware. When he was released from jail a few years later, he went public with the news that his company had been modifying their equipment for years at the request of US intelligence," says Schneier.

In the corporate world, many incidents such as the Citibank theft never see the light of day, but there are few bounds to the ingenuity of the enterprising cyber-criminal. One included a JavaScript trojan horse program in the description field of a 'product for sale' ad on eBay. In this way, he was able to collect login and password information from anyone that viewed his page.

Others routinely use tools such as L0phtcrack to break into password protected systems. Older networking protocols, that require only seven, case-insensitive characters, can be cracked in hours. "On a 400-MHz Quad Pentium II, L0phtcrack can try every alphanumeric password in 5.5 hours, every alphanumeric password with some common symbols in 45 hours and every possible keyboard password in 480 hours," says Schneier.

And although Microsoft Windows NT does boast 128-bit encryption, the encryption keys are protected by a password system. This means that it is considerably less secure than people think. Indeed, Microsoft is learning only very slowly about how to build strong security into its products. The most important lesson for vendors to follow, says Schneier, is that such measures should be developed openly, and the computer community at large encouraged to test them to the limits before widespread adoption.

As a result, thousands of virtual private networks deployed worldwide are based on Microsoft technology that is littered with security holes. That technology is Microsoft's point-to-point tunnelling protocol (PPTP). "[It's] badly flawed," says Schneier. "They invented their own authentication protocol, their own hash functions and their own key generation algorithm. Every one of these items turned out to be badly flawed," he says. "It wasn't until 1998 that a paper describing the flaws was published. Microsoft quickly posted a series of fixes, which have since been evaluated and still found wanting," warns Schneier.

The reader of Secrets & Lies could be forgiven for thinking that security is futile. Schneier certainly knows his subject inside out. He can not only write knowledgably about such complex subjects as cryptography, but can write strong encryption algorithms himself. Schneier co-authored the Twofish Algorithm, one of the five finalists in the competition for the Advanced Encryption Standard (AES). And his first book, Applied Cryptography, sold more than 130,000 copies worldwide.

Secrets & Lies promises to match such sales. It is comprehensive, puts computer security into a wider context and is illustrated with numerous examples. As a result, not only is it entertaining, but is likely to end up on the reference shelf of thousands of CIOs worldwide.