Secrets and Lies : Digital Security in a Networked World

Unlike his previous text - Applied Cryptography - this book is light on detail, and covers a lot of ground. It is written in an easy style, and while it is not exactly a page turner, it keeps your interest. If I could summarise the one message I took from this book it is that it is not a question of if your organisation is going to be hacked, but when and how badly. Schneier does not present the task as a hopeless one, but offers clear strategies to combat the threat.

I would have given the book five stars, except I am interested in database security particularly, and he doesn't really go into that in any detail.

Rating:
Summary: A classic and 'must read' book - raises awareness
Review: This book introduces security and privacy to technical and non-technical readers alike. What I especially like are:

- Social aspects of security and privacy are addressed using the motives of attackers and broad profiles of attacker types, analysis of threats and countermeasures, and what it all means from legal and social perspectives.

- Easy introduction to security infrastructures. The author imparts a good deal of technical knowledge without overwhelming non-technical readers.

This book may initially disappoint technical readers who have read Mr. Schneier's earlier book (Applied Cryptography), but I can assure you that the technical underpinnings are only part of the picture. This book gives a complete view of all aspects of security, and is invaluable because it raises awareness of all issues. It's all the more valuable because it can be read and understood by a broad audience. There are two other books that I recommend in addition to this one: "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community" (Mr. Schneier wrote the preface to this book), and Richard Hunter's "World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing".

Rating:
Summary: Same old song and dance: gimme your $$$
Review: If Bruce Schneier has acquired a habit, it is the ability to take the same old material and rehash it into different books, year after year. My guess is that, next year, he'll use another slightly different angle and try to sell you the same basic information. What you need to do, as a consumer, is step back and see this book for what it is: supplemental income and marketing for Bruce Schneier.

Years ago, Bruce was laid off from AT&T Bell Labs. Since then, Bruce has been using rubes like you to augment his salary. Let's face it; if Bruce were a Ken Thompson or a Claude Shannon, he'd probably still have his job at Bell Labs. But he isn't and he doesn't. Instead he wrote a book and touted himself as an expert to an industry of people who didn't know any better.

Secrets and Lies is just a frankenstein book. Different parts from Applied Cryptography were ripped off and sewn back together to create a book that moves slowly and talks at a grade school level. I suppose he's probably targeting MBAs with this book. Bruce probably figured that the MBA crowd would be scared away by the strange diagrams and formulas in Applied Cryptography.

Recently I spoke with a PhD, from Brown, who performed decades of research in number theory. He recommended "Cryptography in C and C++," by Michael Welschenbach. He also said "I don't know why people think Applied Cryptography is such a good book. He [Schneier] doesn't seem to understand the mathematics very well." Pick up Applied Cryptography sometime and compare it side-by-side with Welschenbach's book. You'll see what that PhD was talking about.

What I find truly onerous about his books is the condescending tone that Schneier adopts when addressing the reader. It's if he's saying "I am so much more elite than you, I can't even begin to tell you." The truth is that Bruce Schneier is a lot of style without much substance. What he lacks in ability he makes up for with moxie. Having lived in Minneapolis, I'm more than familiar with the type of yuppie pretenders that live on Hennepin Avenue with their nose piercings and their tattoos. Bruce, that ponytail doesn't fool anybody. You're just another suit with something to sell.

Rating:
Summary: More like a cookery course than a set of recipe cards
Review: During the course of writing this book, Bruce has broadened his focus from the rather theoretical realm of cryptography to a far more pragmatic and, in my opinion, valid view of security/controls in the round. The central and frankly rather demoralising thesis of the book (that perfect security is unattainable in the real world) is convincingly argued throughout, but Bruce develops the point that a 'reasonable level' of security is in fact a realistic goal for any organisation. This book helps the reader challenge widespread assumptions about IT security to form a much clearer view on what constitutes 'reasonable'.

In a nutshell, strong cryptography, by itself, is never enough but has to be properly integrated with the total controls environment. Technical and procedural controls must work on concert to prevent, detect and react to security threats. In my view, the book is very well written but is not an easy read. It's certainly stimulating, if you understand the issues, and has prompted me to review the way I approach IT security risk analyses and controls design. I'm particularly intrigued, for example, by the concept of building (and perhaps sharing via the web?) a library of 'attack trees' to examine security risks. But this is no cookbook of security controls - the real world is just too complex and dynamic. It's more like a cooking course by a top chef than a set of recipe cards.

The bottom line: a fascinating insight and a worthy successor to his last classic, Applied Cryptography. Absolutely first rate.

Rating:
Summary: Pay attention to this book
Review: This book is a must-read for anyone who will ever write a computer program, administer a network, manage an IT department, or otherwise deal with a computer in any way. Schneier illustrates how security is the responsibility of every part of any computing system and of every person using that computing system.

This book casts aside the militaristic notions of security practiced since the beginning of computers, in which threats are viewed as well-behaved entities that will attack where we expect and will stop where we set up defenses. Instead, Schneier shows that security breaches are unavoidable, but manageable.

Far from the encyclopedic "Applied Cryptography," his previous best-seller, the most techno-challenged person will find this book an easy read. However, the most technically skilled person will benefit just as much from Schneier's insights. As Richard Feynman had with the field of physics, Schneier has the rare combination of brilliant technical comprehension of security concepts well beyond the reach of most people, yet possesses also the ability to communicate these concepts more fluently and accessibly than any other specialist in the field.

If you want to know how security ought to be studied and practiced, read this book. If you think you know enough about security already, read this book, and it will disprove you.

Rating:
Summary: Great book, really like it
Review: I highly recommend this book, for everyone interested in comp security. This is book is very comprehensive, and covers every possible aspect. Even so it was published in 2000, I didn't feel it's dated, since the problems are the same.

Rating:
Summary: Great info, even if self-serving
Review: Schneier's job is security. How do you get more customers? By scaring them. He does plenty of this in this book, and even admits at the end that part of his agenda is to drum up business for his newly restructured company, Counterpane. Of course, this admission directly follows Schneier's comment that the best way to secure your network is by outsourcing (read: hiring Counterpane to do it).

That said, aside from the standard-issue security hype and redundant examples, Schneier has outlined the important parts of the security process in a way that can be understood by all. His emphasis on addressing threats, and not just vulnerabilities, is very welcoming. Too many times, authors and companies spend all of their time and money addressing every known vulnerability. By prioritizing the fixes according to the capability and intent of the perceived adversaries (hackers, corporate spies, etc.), the overall security is greatly enhanced. If there's no threat, then even the most vulnerable system is secure.

Rating:
Summary: Essential reading for anyone interested in Security
Review: I first tried reading the Authors other book, Applied Cryptography, but that was way too technical for my needs.
Then along comes this book, at just the right level. I encourage everyone to read this to get a basic appreciation of the issues and underlying principles. The only disappointment was there is very little material on Chip/Smart Cards; this is a fast-evolving area of study, and I hope there is another edition soon with a chapter on this topic.

Rating:
Summary: Same old story, different cover
Review: You would think that this long after Sept. 11 that the information security community and it's wanna-be futurists and strategic thinkers (like Schnier) would at least be able to think in those terms. Originality of thought is nowhere to be found.

Rating:
Summary: This is a really good book to give a manager.
Review: This is a really good book to give a manager.

It tells stories of what happens when you don't do security right without getting too technical.

Schneier also goes into details about how security can be product based but must be process based.

If you can get you CISO to understand this, you are lucky.