on 12 July 2001
The previous reviewer suggests that universities ought to base courses around this book. Well we are doing just that. Last year, Secrets and Lies was recommended reading, but now I have broken the cryptography and the security into two separate teaching streams and this book forms compulsory reading for the security stream (his Applied Cryptography is strongly recommended for the other stream).
This is an excellent book, very approachable, especially for undergraduates. Not ideally structured to be a text book, but then there's not many text books that you'd want students to read from beginning to end, every word. Our students even get to try out some of the defensive mechanisms on an isolated network, and this book tells them of many of the possible pitfalls to guard against, and gives them some idea of just how big and how important a job it is.
Look forward to a generation of security-aware computer science graduates, with a fair bit of help from Mr Schneier and his books!
on 26 April 2001
When the news broke that a Russian cracker had successfully broken into the computer systems of global banking giant Citibank and stolen $12 million, the message was clear: inadequate computer security can cost millions. In Citibank's case, it was not just the money that it lost to the hacker, but many millions more that was subsequently withdrawn by people fearful that their life savings might be at risk. And such incidents are just the tip of the iceberg if the anecdotal evidence presented by Bruce Schneier in Secrets & Lies is any guide. But the most dangerous perpetrators are not necessarily skilled Russian crackers, but the intelligence organisations of major industrialised countries, including America, Britain, China, France and Russia.
Although many are engaged in industrial espionage on behalf of indigenous industries - particularly the French and Chinese secret services, according to Schneier - for the most part, their targets are normally other governments. And often, as the book illustrates, private companies collude: "Crypto AG, a Swiss company, sells encryption hardware to a lot of Third World governments. In 1994, one of their senior executives was arrested by the Iranian government for selling 'bad' cryptographic hardware. When he was released from jail a few years later, he went public with the news that his company had been modifying their equipment for years at the request of US intelligence," says Schneier.
Others routinely use tools such as L0phtcrack to break into password protected systems. Older networking protocols, that require only seven, case-insensitive characters, can be cracked in hours. "On a 400-MHz Quad Pentium II, L0phtcrack can try every alphanumeric password in 5.5 hours, every alphanumeric password with some common symbols in 45 hours and every possible keyboard password in 480 hours," says Schneier.
And although Microsoft Windows NT does boast 128-bit encryption, the encryption keys are protected by a password system. This means that it is considerably less secure than people think. Indeed, Microsoft is learning only very slowly about how to build strong security into its products. The most important lesson for vendors to follow, says Schneier, is that such measures should be developed openly, and the computer community at large encouraged to test them to the limits before widespread adoption.
As a result, thousands of virtual private networks deployed worldwide are based on Microsoft technology that is littered with security holes. That technology is Microsoft's point-to-point tunnelling protocol (PPTP). "[It's] badly flawed," says Schneier. "They invented their own authentication protocol, their own hash functions and their own key generation algorithm. Every one of these items turned out to be badly flawed," he says. "It wasn't until 1998 that a paper describing the flaws was published. Microsoft quickly posted a series of fixes, which have since been evaluated and still found wanting," warns Schneier.
The reader of Secrets & Lies could be forgiven for thinking that security is futile. Schneier certainly knows his subject inside out. He can not only write knowledgably about such complex subjects as cryptography, but can write strong encryption algorithms himself. Schneier co-authored the Twofish Algorithm, one of the five finalists in the competition for the Advanced Encryption Standard (AES). And his first book, Applied Cryptography, sold more than 130,000 copies worldwide.
Secrets & Lies promises to match such sales. It is comprehensive, puts computer security into a wider context and is illustrated with numerous examples. As a result, not only is it entertaining, but is likely to end up on the reference shelf of thousands of CIOs worldwide.
on 31 October 2000
Bruce Schneier has written a book that is up to date, to the point and links to business needs. His previous book (applied cryptography) is excellent, but can only be used as a reference book for selecting the right crypto, not for understanding business implications of it. I use this book as the reference for a course I give on Data and Transaction Security, and find it most usefull as it provides real live example and also explains that the security must be linked to the needs and possible damage. I think this is a must read for anyone having a need to understand how Information security can become an asset in the digital world, and how "networked" corporations can secure their services while providing the needed functionalities and flexibility. It also explains that security is not only a matter of how much technology you put into it, it mostly depends on the people that manage and control it.
on 17 January 2004
I've actually had to read this book for module on my university course (had the exam last week, think it went pretty well), and it's a shame that many people will likely avoid it for fear of it requiring in-depth technial knowledge of the internet, other networks and computers in general. Whilst a little knowledge of such things is needed, is only along the lines of what they are and what they are used for. The book has been written as a start-to-finish book, i.e. it's not meant for reading the different chapters at leisure - there is definite follow-on. It never reaches too steep a learning curve, but more impressive is the fact that it manages to cover as wide a range of sub-topics that "digital security" covers, as it does, whilst never feeling like it's skimped on any of those sub-topics. It helps that it's not meant to look at any particular sub-topic too closely - you find full details on how to build a firewall, for instance, or how to design a cryptographic algorithm. But it also provides a little background on topics of especial interest, such as the US and UK governments' usage of digital security (in particular cryptography and their citizens' right to privacy versus the need for evidence gathering). Most interesting of all, are the main important points that network administrators and users should really take note of (this includes people who use the internet). Most of them, I must admit, I kind of knew already (however reading them from one of the foremost security experts around helps keep them in my mind), but I still don't follow all of them as I should. I do follow them better than the average internet user, though, otherwise e-mail worms and trojans and those stupid hoax e-mails would not continue being so successful.
In short, if you use the internet regularly, or some kind of computer network at work, this really is a must read.
on 18 January 2004
The book is a nice and easy read for an average user of the Internet or a middle level manager looking for information on data security. However it cannot be used as an academic source, since lots of opinion is very biased and rarely supported by fact or trustworthy sources. Nevertheless it is quite amuzing how the author pinpoints the formet USSR in almost every chapter of the book.
on 18 July 2002
This book isn't what I expected. I thought it would be like a detailed analysis of hacking techniques and vulnerabilities. Instead, Bruce takes an overall look at security and how it affects every aspect of our lives (e.g. smart cars, ATMs, etc.), of course focusing mainly on computer and internet security.
So, I was a little disappointed initially, but as I read on, I was impressed with the depth of knowledge presented with respect to security - as he explains how security is not just prevention (e.g. firewalls), but also about detection and response, which are equally important. Security is a process (not a product) and is a chain only as strong as the weakest link.
It's a great read, and he does discuss cryptography, password cracking - how most passwords are easily crackable (and how it's usually done) - including discussion about l0phtcrack. I really liked the way he included real life security disasters, which made it more interesting.
This book has made me much more aware of security issues and the importance of open source security testing. Highly recommend it.
on 6 April 2004
This book is without a doubt my favourite IT book. Its an excellent read for both those involved in security and those who are not. The book covers a broad range of topics, starting with some general, non IT security concepts. The book then details among many other things, PKIs, digital signitures, biometrics. The kind of common methods used to attack or eavesdrop on systems, such as buffer overflow vulnerabilities and man-in-the-middle techniques. All in all a great read, highly recommended.
I first tried reading the Authors other book, Applied Cryptography, but that was way too technical for my needs.
Then along comes this book, at just the right level. I encourage everyone to read this to get a basic appreciation of the issues and underlying principles. The only disappointment was there is very little material on Chip/Smart Cards; this is a fast-evolving area of study, and I hope there is another edition soon with a chapter on this topic.
on 10 March 2001
Do not expect in-depth technical information from this book, expect an overview of the technologies involved and a description of their generic security flaws. This book is far more important than any technical manual. It provides the reader with a lesson on "how to think" in security terms - not "what to think" or do. If you are interested in getting into IT security make sure this is the first book you read.
on 24 July 2009
This is a good basic overview of digital security in the broadest sense. For me the author's habit of slipping really esoteric words into the text spoilt the read as I was always wondering what he was going to try next. This may have been to demonstrate his superior knowledge but it is REALLY irriating.
I suggest that you brush up on the meanings of the following words before starting to read: limn, seriatim, fungible, elide, daedal, operose, malefic, iatrogenic, pregnable, neoteric, nescient, hortatory, aleatory, cozen, jeremiad, croggle, banaustic, anomie.
Some may be jargon but most aren't. The use of opaque words detracts from clear explanations.