The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first. | |
 |
Home Recent reviews Collected book news Welcome to this site Add your own book |
Book details of 'Secrets and Lies : Digital Security in a Networked World'
| Title | Secrets and Lies : Digital Security in a Networked World |
| Author(s) | Bruce Schneier |
| ISBN | 0471253111 |
| Language | English |
| Published | August 2000 |
| Publisher | John Wiley & Sons |
Back to shelf Computer security
Amazon.com info for Secrets and Lies : Digital Security in a Networked World
The Virtual Bookcase Reviews of 'Secrets and Lies : Digital Security in a Networked World':
Reviewer Koos van den Hout wrote:You may think this is just another book about computer and network security, but this one is different. This book starts at basic questions like "What do you want to secure" and "What are the threatening factors". Understanding security is an important part in security. Bruce Schneier writes an interesting book which is both good as a book to read and as a guide-book to help you think about security as part of the total process. This is a book the system administrator can give to the manager to read to help him understand that just buying a firewall is not going to solve the real problems. Recommended.
Reviewer amazon.com wrote:
Whom can you trust? Try Bruce Schneier, whose rare gift for common sense makes his book Secrets and Lies: Digital Security in a Networked World both enlightening and practical. He's worked in cryptography and electronic security for years, and has reached the depressing conclusion that even the loveliest code and toughest hardware still will yield to attackers who exploit human weaknesses in the users. The book is neatly divided into three parts, covering the turn-of-the-century landscape of systems and threats, the technologies used to protect and intercept data, and strategies for proper implementation of security systems. Moving away from blind faith in prevention, Schneier advocates swift detection and response to an attack, while maintaining firewalls and other gateways to keep out the amateurs. Newcomers to the world of Schneier will be surprised at how funny he can be, especially given a subject commonly perceived as quiet and dull. Whether he's analyzing the security issues of the rebels and the Death Star in Star Wars or poking fun at the giant software and e-commerce companies that consistently sacrifice security for sexier features, he's one of the few tech writers who can provoke laughter consistently. While moderately pessimistic on the future of systems vulnerability, he goes on to relieve the reader's tension by comparing our electronic world to the equally insecure paper world we've endured for centuries--a little smart-card fraud doesn't seem so bad after all. Despite his unfortunate (but brief) shill for his consulting company in the book's afterword, you can trust Schneier to dish the dirt in Secrets and Lies.
Reviewer Rob Slade wrote:
"Secrets and Lies" has generated a great deal of interest in the security community this year. Much of this interest probably stems from the simple fact that it isn't every day (or every year) that you get a general security book, written for the non-specialist, produced by a major name in the field. But one point seems to have been glossed over in the praise for this work. Schneier's writing is lively, entertaining, and even playful throughout the entire book. Not only is this volume a realistic and useful view of the security enterprise, but it's a lot of fun. As the author of "Applied Cryptography," the leading text in the field; the founder of Counterpane Systems, with its major influence in encryption consulting; and the publisher of the Crypto-Gram newsletter, regular and thoughtful analyses of major encryption related issues; Bruce Schneier is, among the technically and cryptographically knowledgeable, arguably more influential than many academics whose names might be more widely known in relation to specific algorithms. So when Schneier states, in the preface, that cryptography is not "The Answer(TM)" to security, you have to take him seriously. He goes on, in the introductory chapter, to point out that "The Answer(TM)" does not exist: securing complex systems is a hard job purely because the systems are complex, and any easy answer is bound to be wrong. The price of digital reliability is constant vigilance. As such, don't come looking to this work for easy answers or cookbook solutions. What you will find is a solid introduction, and more, to the problems you have to overcome to keep your information safe, and some guidelines on how to go about the task. Part one is an overview of the field of network operations with a view to restricting some ideal definition of "secure" to a more achievable goal. Chapter two describes a number of digital threats (aside from the mention of salami attacks, quite realistically) and points out that none of the crimes are new, although the extreme of accessibility is. Various attacks, and various motivations, are reviewed in chapter three. The discussion of different types of adversaries, in chapter four, provides a reasonable assessment of the whole range from script kiddies to infowarriors, and compares relative levels of competency and risk tolerance. Chapter five outlines security needs and, again, points out that all computer security measures have their origins in physical security practices we all take for granted. Part two looks at the various technology components of security and security systems. The writing in this section is a little more mundane and less sparkling than other parts of the book, but the material is reliable and convincing. Chapter six is, of course, an excellent primer on the basic concepts and applications of cryptography. The analysis is extended to "real world" limitations and faults with encryption in chapter seven, including an intriguing comparison of proprietary protocols and alternative medicine. Chapter eight discusses computer security in broad terms, but concisely expresses concepts and models that many other books waste pages on without ever making the fundamentals clear. (It also provides some amazing, and occasionally amusing, glimpses into the lack of security in Microsoft's Windows.) Authentication is described well in chapter nine. Chapter ten is oddly unstructured. Entitled "Networked- Computer Security" it starts off with viruses and malware, talks a bit about operating system architecture, and ends up with some Web insecurities. While there are errors (particularly in the virus section) most of the material is not really bad: it just seems strange in comparison to the earlier chapters. Network Security, in chapter eleven, returns to the original level of focus, and explains various concepts using TCP/IP as an example. Chapter twelve takes a depressing, but accurate, look at the major network security tools, as well as making the important, though counterintuitive, point that false alarms can be worse than no security at all. Software reliability gets a fairly standard treatment in chapter thirteen, and much the same is true of hardware security in chapter fourteen. As might be expected, the coverage of certificates and the public key infrastructure, in chapter fifteen, clearly sets forth all necessary considerations and weak points to examine. Technical books usually have some catch-all chapters, but not all of them admit it up front. Chapter sixteen touches on a number of tricks that people have relied on to protect data, and uses devastating logic to point out why said stunts don't work. Finally, in chapter seventeen, we come to the largest source of security problems, and the one we can't do anything about: people. The first two parts looked at problems. Part three tries to present some solutions, or at least approaches to solutions. Chapter eighteen describes the vulnerability landscape, and suggests following the process of attacking a system, in order to identify how much security is needed at certain points, and weak areas that may need to be reinforced somehow. (This is a far cry from the "how to hack" tools lists of some of the more sensational "security" books, and much more useful.) Risk assessment, in chapter nineteen, is reasonable and balanced, but not great. Chapter twenty is disappointing, in that it is entitled "Security Policies and Countermeasures" but concentrates on a series of specific examples of good and bad security systems. Elsewhere the book promotes the fact that without a policy you have no security. It therefore seems a bit of an abdication of the topic to leave it without much discussion of the actual production of a policy. Attack trees might be seen as yet another example of a tool more useful to the security breaker than the sysadmin, but chapter twenty one's explanation shows how it can structure the task of analyzing protective measures. This process is far more likely to succeed than a vague injunction to secure everything, and this chapter alone probably makes this work a "must have" for every security library. Product testing, in chapter twenty two, deals mostly with how *not* to evaluate software, and includes a good discussion of full disclosure and the open source movement. However, I can definitely sympathize with the position of the latter part of the chapter: potential security is pointless, what really counts is how secure a system is when set up by the typical harried administrator. The future is usually left for last, but Schneier takes a solid look at likely trends and paints an alarming, if not completely apocalyptic, picture. Chapter twenty four supports one of the major theses of the book: security is a process, not a product. Therefore, the chapter provides a set of guidelines, attitudes, points, and general principles to be used in looking at security as a process. The conclusion, in chapter twenty five, seems to be that lots of people are trying to avoid their proper responsibility for security, but the task is achievable. Quite apart from the general readability of the text, Schneier has ensured that the content and explanations are accessible to any intelligent reader. You do not need specialist training to understand the concepts presented herein. And the concepts encompass pretty much everything to consider about security in a networked world. This is one of the very few books that I feel I can recommend without reservation to a newcomer concerned about computer or communications security. It presents the situation clearly, with real explanations of the dangers, but no overpromoted sensationalism. If the volume seems a bit long all I can say, with Schneier, is that security is complex. The book has very little wasted space. I can also say that security professionals will not regret time spent with it. We tend to need more frequent reminding than teaching, and the comprehensive coverage touches on many issues that are important, but may be ignored as not always being urgent. However, the book also does an excellent job of explaining some specialty and esoteric topics. Hopefully "Secrets and Lies" will have a prominent position on many security library shelves. copyright Robert M. Slade, 2000
Add my review for Secrets and Lies : Digital Security in a Networked World