Secrets and Lies : Digital Security in a Networked World

Why am I disappointed?

1)
There are far too many repetitions in the book - numerous ideas, principles, accounts of various events, statements, etc. are repeated over and over again, and are too lengthy.

Moreover, the author comes up with some point, sufficiently proves it with some statement or example, and instead of recognizing that he has already proved his point and stopping on that, he keeps going and gives more and more examples and statements to further support his point.

This is unnecessary, boring, annoying, and most importantly, consumes too much of reader's time. I think if one got rid of all the repetions and unnecessary "proofs", the whole book would shrink from 412 pages to, maybe, 150-170. This book should be read/scanned from start to end and *selectively*.

2)
While I am aware of incredible, and absolutely mind boggling, complexities and interdependencies of the Net (and those within IT, in general), as well as the *potential* for hacking and abuse of networks, I got strong impression that the author's intention was to terrify readers by *constantly* coming up with *potential*, unrealistic and out of this world, hypothetical dangers.

Also, it should be noted that the author is CTO and co-founder of a big, multi-million dolar security monitoring firm...

While reading the book, I felt the author was "grinding his axe" - spreading fears among his possible future customers (big companies heavily relying on secure networks). I wasn't quite sure whether it was just my perception or not, until I read his own words on page 398 where he admits that the book seems a little self-serving. I woudn't say it is just a little, though.

To sum up, I think the book can be a good, an interesting and selective read for people who are new to IT. Just don't take this "scare campaign" too seriously - the Net has been functioning for so many years, interestingly, it hasn't been brought down by "malicious hackers" as the author suggests it could easily be. I think there is more to it than that.

Two stars go for the book, and the third one for the fact that the author didn't side with micro$oft :o)

mirek zywert

Rating:
Summary: Great security lessons for everyone!
Review: This book covers security in both the digital and physical form. Schneier excellently explains all aspects of the digital security process and each step of the way he gives "physical" exanples.
Anyone who is concerned with security - any type of security - should read this book and hold onto it as a refrence. It's exciting and very enlightening. Highly recommended!!!

Rating:
Summary: Must read for every security professional
Review: Bruce provides the phylosophical playground of computer security. After reading the book you be better equiped to understand the security companies blurb, what works, what not, and where does it take place. Bruce cuts through the hype, presenting the concept in clear and concise language. Yet, even the professional will understand security better after reading that book.

Rating:
Summary: To whoom was it written?
Review: Some references said that this book a business issue, not a technical one. The second half of this statement is definitely correct. I'm an engineer teachig in a Community College and I looked for some book to brush up the interest of my students. Not a technical book. Unluckily enough I've selected this one, but I was disappointed very much.
Words and words. So much text and hardly any fact. If any that's old enough being known publicly.
I'm sure that even business people have not enough time to read through so much text for so little relevant information to mine out.
So as for the first half of the statement cited, I doubt that businessman can gain anything of this book except the fear of using such a public facility as Internet is.

Rating:
Summary: Easy to read introduction to computer security
Review: This is a very accessible introduction to the world of computer security. Schneier knows his stuff technically as is demonstrated in his other book, Applied Cryptography. with this book he also shows that he knows how to communicate these ideas without being too technical. This is a must-read book for anyone managing a computer software product or anyone who wants to get their feet wet with security.
My one complaint is that he goes out of his way to attack Microsoft. Schneier has an axe to grind with the company and makes it known. Microsoft does have a lot of security vulnerabilities found in its products but that is because they are so widespread, not because they are worse than other products.

Rating:
Summary: A good book, but I feel it lacks a very fundamental thing...
Review: This is an excellent book for you network admins, managers, and basically anyone not extremely familiar with the psyche of a hacker.

It covers the technology in simple terms, as well as exploring the mind of these "hackers" and various people skulking around the internet.

I do, however, feel it's missing in-depth information into the actual thinking of a hacker. It does have some brief exploration of what they might think, or try to do, but it is missing anything of real substance on the matter. Now, maybe this wasn't the point of the book, and I understand that, but I feel if the author decided to write about hackers, he might of researched it a bit, maybe interviewed a few, and expanded the section beyond just 3 or 4 pages.

Other than that gripe, I would say the book is an excellent read. In some sections it's somewhat optimistic about the future internet security and provacy, in most of the others, it's not. In the end, the author tries to be as light-hearted as possible, but overall, the book might be somewhat depressing (depending on how much of an impact the topic has on your life.)

Rating:
Summary: Required reading
Review: For persons engaged in discourse about security or involved in spending their company's money with respect to security, this book should be required reading.
Most two paragraph summaries of this book reveal more insight and common sense than your average IT drone seems to posess after months of contemplation.

Rating:
Summary: Another wonderful masterpiece from Schneier
Review: There is no much to say about this book other than that it is a masterpiece. If you have read his Applied Cryptography, then you will love this less-technical but still a great work. If there are people in computer security who are real professionals and are on the ball, Scheiner is in the first 10 of them. Highly recommended even for non-techies.

Edgar Danielyan CCNP(Security)
Danielyan Consulting
...

Rating:
Summary: Interesting and worth buying......
Review: I liked it.... course it is not very memorable, since I cannot remember much about it 3 months later.

Rating:
Summary: Why Digital Security Isn't!
Review: Bruce Schneier has an M.S. in Computer Science from American University and a B.S. in Physics from the University of Rochester but he is self-educated in the areas of computer security and cryptography. An acknowledged expert in the field of cryptography, he has written eight books and dozens of articles on topics as wide ranging as techniques for securing installations of the MacOS to the detailed specifications of an encryption algorithm. He used to be president of Counterpane Systems, which was a consulting firm specializing in cryptography and computer security. He is now Chief Technical Officer of Counterpane Internet Security, Inc., a company he co-founded, which provides world wide real-time security monitoring services.

Secrets & Lies is an attempt at writing a book to provide everything you wanted to know about cryptography, computer hacking, and the security issues of computers and computer networks. The book is written in three main sections. The first concentrates on the modern electronic environment and the threats to security and commerce that exist within it, and how these weaknesses and threats compare to the more traditional security threats that have existed for years. The second section deals with the main categories of technologies that exist to secure computers and computer networks, and with the weaknesses of each of the types of security. The third section deals with how to develop a threat model, how to analyze a system for security vulnerabilities, and the future of data network security.

Secrets & Lies contains a lot of information arranged as a broad overview of information technology security. It is not, by any stretch of the imagination, a technician's handbook for securing a server or network. The system administrator or network operator may find some of the sections, such as how to analyze a system for security vulnerabilities, very useful but will not find a lot of answers on how to secure their particular network or system.

The main points that the author is attempting to impart can be discovered fairly quickly are that security is a process and not a product, security should be layered like an onion, security is like a chain in that it is only as strong as it's weakest link, and finally that security should be applied to the entire system and not just individual pieces. Yes, the book does read as if a computer security consultant wrote it, which is exactly what the author has been doing for a good part of his life. Having said that, the book is very readable and would be understandable to most business people, whether a person is an IT professional or a financial department manager. If new to the IT field or IT security a person would benefit greatly from this book.

Another theme of the author's, though it is only mentioned once, is the idea that computer security rests on the three pillars of integrity, availability, and confidentiality. Though much of the book is admittedly written with the goal of explaining how each of these "pillars" can or can't be accomplished, a disservice is done by not mentioning these principles earlier and providing them a higher level of importance. The technologies, the threats, and the weaknesses of the technologies receive the limelight in this book but the big "so what" is why the technologies even exist. The "why" is explained by the three pillars and though they are a conceptual idea it is important that the reader understand their importance prior to getting distracted by 128 bit encryption which is, after all, only a means to an end.

The IT professional; however, may find the book overly long and wordy. To make the different technologies understandable to almost anyone the author made free and extensive use of analogies that can at times be quite lengthy and simplistic. The analogies do accomplish the goal of clearly explaining the underlying principles, operation, and problems in several areas such as PKI and certificates but the IT professional who already is familiar with the topic will cringe at some of the simplistic explanations.

This is a good one over the world familiarization book on digital security. IT professionals should read this book, though they might want to consider skipping the first six chapters. The first six chapters are; however, an excellent primer for managers who are unfamiliar with data network security and the huge challenge posed by securing information systems and networks.

PJZ