Secrets and Lies: Digital Security in a Networked World [Paperback]

At the moment, it seems that hardly a day passes without fresh news of some glaring Internet security breach; online banks, of all things, seem to be particularly vulnerable at the moment. All of which will come as no great surprise to network security cum cryptography guru, Bruce Schnier. His latest book, Secrets and Lies, paints a very gloomy overview of the true state of network security. Schnier, founder of Counterpane Internet Security, has some harsh words to say about the state of network security, though, to be fair, his criticisms are directed far and wide; not one scapegoat, (not even Microsoft) is singled out for special attention. Depressingly, the words "fundamentally flawed" crop up time and time again in this absorbing book.

Secrets and Lies is a thorough backgrounder in all aspects of network security, an extremely wide remit that stretches from passwords to encryption, passing through authentication and attack trees along the way. The book is divided in to three broad categories, The Landscape, which covers attacks, adversaries and the need for security; Technologies, which discusses cryptography, authentication, network security, secure hardware and security tricks; and concludes with Strategies, which looks at vulnerabilities, risk assessment, security policies and the future of security. Mercifully there's a dim light at the end of this tunnel and Schnier ultimately remains upbeat about maintaining computer security and details a way forward in his conclusion.

Although working in a necessarily techie environment, Schnier's book is surprisingly jargon-free and easy to understand, even if you're not au fait with the inner workings of TCP/IP--it's common-sense, practical style makes a potentially dense and arcane subject accessible by just about anybody. It's also bang up to date, which makes for a pleasant change. Secrets and Lies is never less than thought-provoking and should be essential reading for every network administrator in the land. Be afraid, be very afraid! --Roger Gann --This text refers to an out of print or unavailable edition of this title.

"Instead of talking algorithms to geeky programmers, he offers a primer in practical computer security aimed at those shopping, communicating or doing business online - almost everyone in other words." --This text refers to an out of print or unavailable edition of this title.

The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be. That's why Secrets and Lies belongs in every manager's library. --This text refers to an out of print or unavailable edition of this title.

Bruce Schneier's latest book on security is a rare achievment, as it takes a highly technical and often deadly dull topic and creates a surprisingly acessible and often fascinating read for even the least techy exec. "Secrets and Lies" lays out the current landscape of network security- from the challenges presented by hackers and viruses to the often ineffectual state of corporate security systems. Schneier offers enough gritty history, cautionary tales, and colorful explinations to keep readers engrossed, whether they're new to the security field or seasoned professionals. In addition, he has managed to pepper his text (especially the latter sections) with plenty of useful tips and advice that can help companies battle their way through the dangerous and often confusing task of securing their most valued assets. --This text refers to an out of print or unavailable edition of this title.

Secrets and Lies is also a jewel box of little surprises you can actually use. See, for example, Schneier's persuasive analysis of why writing down your password (in defiance of your system administrator's pleas) can make your computer, and your network, more secure rather than less. One thing's certain: This book will make you think twice about ever again using your Visa card on a secure Website. --This text refers to an out of print or unavailable edition of this title.

TECHNOLOGY YOU By Stephen H. Wildstrom --This text refers to an out of print or unavailable edition of this title.

“…The security technologies available are described in a user–friendly way without going into depth...” (Computer Bulletin, January 2005)

“…peppered with lively anecdotes and aphorisms, making it a really accessible read...” (The ISSG Magazine, Autumn, 2004)

“…fascinating read…peppered with lively anecdotes…” (The ISSG Magazine, October 2004)

"...make yourself better informed. Read this book." (CVu, The Journal of the ACCU, Vol 16(3), June 2004)

"The security technologies available are described in a user-friendly way without going into depth."

Be thankful cryptography guru Bruce Schneier works for the good guys. The founder and C.T.O. of Counterpane Internet Security knows just how weak your company's security really is. You could wait and find out in September, when his new book, Secrets and Lies: Digital Security in the Networked World comes out. Or you can keep reading.

How would you describe the current state of online security?
Terrible. The products that claim to provide security actually don't do a very good job. They're not implemented, installed, or operated properly. We see a half-million credit card numbers stolen from a site, or we see that everybody's Hotmail accounts have been accessible to anyone, but nobody has noticed. I think that's very, very common and that it just hits the press when somebody notices. Most of the time nobody notices.

Is there a solution?
Realistically, we're losing. Things are not getting better. They're getting worse, primarily because they're getting more complex. Complexity is the enemy of security. Windows NT 4.0 had 16 million lines of code; Windows 2000 has 35 million to 60 million lines of code. So the number of bugs is going to double or triple. If we're seeing one security flaw a week with NT, in Windows 2000 we're going to see three a week or more. And now everything is connected. What [the Melissa virus] taught us is now Microsoft Word is a network product. As things get interconnected, things can break each other.

Could all this solved with better programming practices?
Better programming practices equal slower development and more money. If you walk into Microsoft and say' " Great - let's use better programming practices." Your operating system will be delayed by three years, and it will cost twice as much. They will show you the door.

The market place doesn't reward security because there's no liability. When we found out that Hotmail wasn't protecting anybody's security, there were no screams of liability. It's almost as if someone builds a building and it collapses and they say, "wait until building 1.1. that will be strong." (Thomas Claburn, Smart Business (formerly PC Computing), April 2000) --This text refers to an out of print or unavailable edition of this title.

"...this book is of value to anyone whose business depends on safe use of email, the Web, or other networked communications" and "belongs in every manager′s library." ––Business Week

"Schneier...peppers the book with lively anecdotes and aphorisms, making it unusually accessible." ––Los Angeles Times

Schneier "offers a primer in practical computer security aimed at those shopping, communicating or doing business online––almost everyone, in other words." ––The Economist

Schneier is "one of the foremost experts on computer security" and his 1995 Wiley book Applied Cryptography is "the landmark text on the security hazards of the Internet." ––Time Out New York

Schneier "gives the state of the art on corporate security." ––thestandard.com

Schneier "wrote the book on applied cryptography" ––Information Security

Secrets & Lies is "a written, well researched exploration of digital security as a system." ––slashdot.com

"Although Schneier′s style is lively and spiced with unusual vocabulary (try looking up banausic and flagitious in your Funk and Wagnalls), no one is going to pick up this book for the sake of a a good read. They want the information contained therein." ––eWEEK.com

"In Secrets and Lies the things that actually go wrong are explained by lots of concrete examples, some stunning." ––New Scientist

"Schneier′s book is an excellent read.... He understands the issues and the issues behind the issues." ––Bill Machrone

Review Anne Fisher calls Secrets and Lies "a jewel box of little surprises you can actually use" and refers to the book as "a startlingly lively treatise." ––Fortune, November 27, 2000, p. 304

"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it′s fun.." ––New Scientist, 2nd September 2000 --This text refers to an out of print or unavailable edition of this title.

"...a very practical guide..." --This text refers to an out of print or unavailable edition of this title.

"...make yourself better informed. Read this book." --This text refers to an out of print or unavailable edition of this title.

"...a good read..." "The book is interesting [and] educational..." --This text refers to an out of print or unavailable edition of this title.

As an editor at a computer publication in the early 1990s, I hired a freelance security expert to evaluate anti-virus software. After extensive testing he faxed the results; unfortunately, the fax went to one of my publication's direct competitors. His gaffe demonstrated why we will never see fail-safe computer security: human error. That premise emerged as a central theme of a new book written by the same freelancer, now a leading security expert. "Secrets and Lies: Digital Security in a Networked World" (John Wiley & Sons, 2000, $29.99), by Bruce Schneier, is a compelling brief on the industry's most obsessive anxiety. It's not a story for the faint of heart. Schneier's scary world makes the Wild West--to which the Internet is often compared--look like kindergarten. (For every gory detail on computer crime, check out "Tangled Web," by Richard Power; Que, 2000, $25.) "Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks--such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers--made headlines. Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages. A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats." "Script kiddies"--wannabes who use turnkey hacking tools they find posted on the Web--may be emerging as the biggest threat. Schneier explains the reasons for this grim scenario in simple truths: * In the hacking wars, technology favors offense over defense. * Complexity is the enemy of security, and the Internet is the mother of all complex systems. * Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities. * People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data) that it said would take more than 149 trillion years to crack. Then again, if you use your name or the word "password" as a decoding key--typical among lazy computer users--a neophyte hacker would need about five minutes. Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised. It's not hard to imagine why security software developers would be short on confidence--their products are nearly always developed in a vacuum. "A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"--probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough." "If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day." A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users--as individuals or employees--must understand their role in protecting information--instead of naively relying on software tools to work without human vigilance. So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign. So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks. Dopey business plans are a bigger threat to the "dot-com" world, and the sale of personal data by marketers a bigger threat to individuals,than hackers will ever be. --This text refers to an out of print or unavailable edition of this title.

A Security State of Mind It's not encryption. It's not a password. It's not connecting through a VPN or an anonymizing service. Security means vastly different things to a national government, an e-commerce site, or a home user. Governments are rightly paranoid about little things like their military preparedness, new weapons systems, communications codes, and sensitive information about other governments. E-commerce sites amass records for millions of consumers; a break-in could net huge numbers of credit cards. Businesses are constantly evolving, and your chief competitor would love to know what you're up to. On the personal level, most of us don't have anything quite so vital as state secrets to protect, but theft of numbers and information that we use every day can make our lives a living hell. You only have to talk to one victim of identity theft to understand the excruciating-agony of suddenly being victimized by technology, as computers reject your bank and credit cards, and credit reports repeatedly reflect some crook's misadventures with your name and money. --This text refers to an out of print or unavailable edition of this title.

SCHNEIER SAYS Security expert Bruce Schneier's new book, Secrets and Lies, details the challenges of maintaining security in a networked world. Time and again, he makes the depressing point that security ultimately depends on human nature. The person who doesn't follow procedure, the careless user who leaves a password on a sticky note, and the one who attaches a modem connected to an outside line to a machine behind the firewall are all committing security breaches. And those are the ones without malfeasance. Schneier's book is an excellent read. Although he's a mathematician and security expert, the book is largely nontechnical-and even amusing, once you get past some of the horror stories. Unlike some other nontechnical security resources, Schneier's book is authoritative because he's been there and done that, having invented-and cracked-a couple of equally important algorithms. He understands the issues and the issues behind the issues. If you're not a hacker, or if you're new to the scene, you'll gain an appreciation for why designers of security systems and inventors of encryption algorithms put their documentation into public view and invite attacks. Basically, if someone can point out a flaw in your logic or a vulnerability in the system, then you can eliminate the weakness. And if attackers can't break in with full knowledge of the mechanism you're using to keep them out, that's good security. The book also shows you why formerly secure algorithms are no longer secure. In many cases it's simply that machines have gotten so fast that previously impossible numbers of calculations are now possible. Or that hundreds or thousands of machines working in concert over network can outperform some of the largest supercomputers in decryption. But in his introduction, Schneier says, "I have written this book...to correct a mistake." The mistake was his earlier contention that cryptography would keep all our information safe and be the key to a sophisticated digital world. As things have turned out, cryptography is a small but necessary ingredient in the much more complex recipe for security and privacy. --This text refers to an out of print or unavailable edition of this title.

Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network
Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more.
∗ Walks the reader through the real choices they have now for digital security and how to pick and choose the right one to meet their business needs
∗ Explains what cryptography can and can′t do in achieving digital security

"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun.." --This text refers to an out of print or unavailable edition of this title.

I started writing this book in 1997; it was originally due to the publisher by April 1998. I eventually delivered it in April 2000, two years late. I have never before missed a publication deadline: books, articles, or essays. I pride myself on timeliness: A piece of writing is finished when it's due, not when it's done.

This book was different. I got two-thirds of the way through the book without giving the reader any hope at all. And it was about then I realised that I didn't have the hope to give. I had reached the limitations of what I thought security technology could do. I had to hide the manuscript away for over a year; it was too depressing to work on.

I came to security from cryptography, and framed the problem with classical cryptography thinking. Most writings about security come from this perspective, and it can be summed up pretty easily: Security threats are to be avoided using preventive countermeasures.

For decades we have used this approach to computer security. We draw boxes around the different players and lines between them. We define different attackers -- eavesdroppers, impersonators, thieves -- and their capabilities. We use preventive countermeasures like encryption and access control to avoid different threats. If we can avoid the threats, we've won.

If we can't, we've lost.

Imagine my surprise when I learned that the world doesn't work this way. I had my epiphany in April 1999: that security was about risk management, that detection and response were just as important as prevention, and that reducing the window of exposure for an enterprise is security's real purpose. I was finally able to finish the book: offer solutions to the problems I posed, a way out of the darkness, hope for the future of computer security.

Secrets and Lies discusses computer security in this context, in words that a business audience will understand. It explains, in my typical style, how different security technologies work and how they fail. It discusses the process of security: what the threats are, who the attackers are, and how to live in their world.

It'll change the way you think about computer security. I'm very proud of it... --This text refers to an out of print or unavailable edition of this title.

Welcome to the businessworld.com. It′s digital: Information is more readily accessible than ever. It′s inescapably connected: businesses are increasingly ––if not totally––dependent on digital communications. But our passion for technology has a price: increased exposure to security threats. Companies around the world need to understand the risks associated with doing business electronically. The answer starts here.

Information security expert Bruce Schneier explains what everyone in business needs to know about security in order to survive and be competitive. Pragmatic, interesting, and humorous, Schneier exposes the digital world and the realities of our networked society. He examines the entire system, from the reasons for technical insecurities to the minds behind malicious attacks. You′ll be guided through the security war zone, and learn how to understand and arm yourself against the threats of our connected world.

There are no quick fixes for digital security. And with the number of security vulnerabilities, breaches, and digital disasters increasing over time, it′s vital that you learn how to manage the vulnerabilities and protect your data in this networked world. You need to understand who the attackers are, what they want, and how to deal with the threats they represent. In Secrets and Lies, you′ll learn about security technologies and product capabilities, as well as their limitations. And you′ll find out how to respond given the landscape of your system and the limitations of your business.

With its accessible style, this practical guide covers:
∗ The digital threats and attacks that you must understand
∗ The security products and processes currently available
∗ The limitations of technology
∗ The steps involved in product testing to discover security flaws
∗ The technologies to watch for over the next couple of years
∗ Risk assessment in your company
∗ The implementation of security policies and countermeasures

Secrets and Lies offers the expert guidance you′ll need to make the right choices about securing your digital self. --This text refers to an out of print or unavailable edition of this title.

"A primer in practical computer security aimed at those shopping, communicating, or doing business online – almost everyone, in other words."
–The Economist

Viruses. Identity theft. Corporate espionage. National secrets compromised. Can anyone promise security in our digital world?

The man who introduced cryptography to the boardroom says no. But in this fascinating read, he shows us how to come closer by developing security measures in terms of context, tools, and strategy. Security is a process, not a product – one that system administrators and corporate executives alike must understand to survive.

"This book is of value to anyone whose business depends on safe use of e–mail, the Web, or other networked communications. If that’s not yet everybody, it soon will be."
–Stephen H. Wildstrom, BusinessWeek

"It’s not often that a truly outstanding book is written for both technical users and management. Fortunately, Secrets and Lies pulls off this feat rather well."
–Dustin Puryear, Linux.com

"Schneier . . . peppers the book with lively anecdotes and aphorisms, making it unusually accessible."
–Los Angeles Times

Bruce Schneier is the founder and CTO of Counterpane Internet Security, Inc., the recognized leader in network security services. The bestselling author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World and Applied Cryptography, he is an internationally respected security expert.

Preface

I have written this book partly to correct a mistake.

Seven years ago I wrote another book: Applied Cryptography. In it I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions-unregulated gambling, undetectable authentication, anonymous cash--safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics."

It's just not true. Cryptography can't do any of that.

It's not that cryptography has gotten weaker since I994, or that the things I described in that book are no longer true; it's that cryptography doesn't exist in a vacuum.

Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.

Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible.

The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer TM. I was pretty naive.

The result wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography.

Since writing the book, I have made a living as a cryptography consultant: designing and analysing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: "Security is a chain; it's only as secure as the weakest link." "Security is a process, not a product."

Any real-world system is a complicated series of interconnections. Security must permeate the system: its components and connections. And in this book I argue that modern systems have so many components and connections--some of them not even known by the systems' designers, implementers, or users-that insecurities always remain. No system is perfect; no technology is The Answer TM.

This is obvious to anyone involved in real-world security. In the real world, security involves processes. It involves preventative technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. And if we're ever going to make our digital systems secure, we're going to have to start building processes. A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. This book is about those security problems, the limitations of technology, and the solutions.

HOW TO READ THIS BOOK

Read this book in order, from beginning to end.

No, really. Many technical books are meant to skim, bounce around in, and use as a reference. This book isn't. This book has a plot; it tells a story. And like any good story, and you won't buy the ending if you haven't come along on the journey.

Actually, I want you to read the book through once, and then read it through a second time. This book argues that in order to understand the security of a system, you need to look at the entire system - and not at any particular technologies. Security itself is an interconnected system, and it helps to have cursory knowledge of everything before learning more about anything. But two readings is probably to much to ask; forget I mentioned it.

This book has three parts. Part 1 is "The Landscape," and gives context to the rest of the book: who the attackers are, what they want, and what we need to deal with the threats. Part 2 is "Technologies," basically a bunch of chapters describing different security technologies and their limitations. Part 3 is "Strategies": Given the requirements of the landscape and the limitations of the technologies, what do we do now? I think digital security is about the coolest thing you can work on today, and this book reflects that feeling. It's serious, but fun, too. Enjoy the read. --This text refers to an out of print or unavailable edition of this title.