Secrets and Lies : Digital Security in a Networked World

Many of us realise that security in electronic commerce is important if we are to make the most of internet technology. Unfortunately, the majority of developers have rushed ahead, placing functionality before security.

Many internet professionals place all their trust in the 'holy grail' of strong cryptography. Bruce points out that a secure sytems involves people, processes, operating systems, networks, switches and a plethora of other components the can go wrong.

Sometimes the more you read about this sort of thing, the more you think that it isn't worth it : that there are so many exploits, bugs and vunerabilities that it will never be safe. But Bruce places things in context, and gives us hope for the future - and makes us laugh in the process.

A 'must read' !

Rating:
Summary: An Excellent Overview In Plain American
Review: Written in English -- no, in plain American -- this is an overview of how digital security works, and doesn't work, with all the parts of the animal clearly labelled so that the smart non-programmer can follow along. The ideas are complex and build on each other, but Schneier organizes the information in an order that allows the reader to learn. Painlessly. Pleasurably. This is not a given in the world of technology literature. For those who understand programming, this is the graduate seminar follow-up to APPLIED CRYPTOGRAPHY, Schneier's definitive textbook on the subject. This is where he lets his hair down and tells you stuff about real world security that didn't get into that textbook. For those who've read his travelogues, this is more of Schneier's clear, cheery, no-bull voice, talking business this time, letting lots of light and air into a topic that one suspects sees little of either.

Rating:
Summary: A useful summary of security issues
Review: If you learn about privacy and security issues by reading the papers and/or Peter Newman's Risks, you know about incidents that have surfaced. This book gives you a framework for thinking about security and privacy incidents in this networked age.

The author is a cryptographer and has his own systems security consulting firm. His major theme is that a company's security cannot be assured by technical means. Some security losses are unavoidable, according to the author. Thus, a manager must view security as a process in which prevention, detection and followup are important. The author sees a need for more outsourcing and insurance in the coming years.

As far as I know there is no other book like this one. On that basis alone, it merits five stars. The coverage is broad and the treatment is accessible to the layman. The author writes very well. He uses examples effectively.

The book is intended as a trade book, I assume, but I think it would be a good textbook in an MBA course. It might be appropriate in a computer science graduate program, also, as a non-technical introduction to the issues.

Having praised the book, I must also point out that some topics are discussed more than once in the book. The repetition is a little off-putting by the end. But, overall, this is an excellent book and I highly recommend it.

Rating:
Summary: Security made fun and enjoyable!
Review: I just finished reading "Secrets and Lies" and I must say the book is fantastic. I truly appreciate the manner in which Bruce Schneier delivered the information. I enjoyed the book as though I was reading for recreational purposes. This is the most enjoyable book on a technical topic I have ever read. The format leads the reader from the current security landscape to the technologies which are involved and then the strategies for deployment. Everyone who is involved with security would be better off after reading Mr. Schneier's excellent book. Thanks for the great read.

Rating:
Summary: Readable, covers the ground well
Review: I got a review copy from Bruce. It is much chattier than his previous books which is just as well. This is a trade book designed for the mass audience, which is probably the market that needs a good book best.

If you are interested in thinking about security then it is a good book. It is not something I would use as the main course text but it does not pretend to be a boring academic reference book. I will be recommending that my student's read it however.

Probably the best use for the book if you are a security professional is to give to someone to explain what you are doing or a system you have built for them.

As for the other reviewer who was dissing Bruce for 'not knowing' that security labels have changed, the point was irrelevant. Bruce has done classified work so he is not going to be revealling millitary intelligence secrets unless he wants to be making big rocks into small ones in Leavenworth.

Rating:
Summary: Targeted audience
Review: This book is targeted for business people. As a CISSP, there wasn't much surprising here, but a lot of information that might help cut down on the mythology surrounding security (i.e. firewall=security). I bought this based on the author's reputation and based on that I'll finish it, but any engineers that are used to reading technical books will find the manner of writing frustrating; non-geeks will appreciate the plain English.

To be fair, slashdot gave it a 10.

Rating:
Summary: A must read especially for non-technical people
Review: This is definitely a great book for anyone interested in knowing how computer and network security really works (or, as in most cases, how it doesn't work). Schenier does a great job in keeping the subject interesting and fairly entertaining, although the book did have its share of slow parts. If you know about security and cryptography already, there's not going to be a lot new facts here. But, the book does put everything in context and clearly explains why you should be a little skeptical when people brag about how their product is safe because it uses "128-bit RSA encryption" or how a firewall "completely prevents attacks and intrusions". There's a bit of a plug for Schneier's company at the end, though, and the conclusion of the book is almost saying "Hire us", but since it *is* Bruce Schneier I think that can be forgiven :)

Rating:
Summary: V8 for the brain
Review: Not a technical manual, "Secrets and Lies" is intended to jog the reader's mind. It is well written and his style is almost personal as he tries to convey a very subtle point - usernames and passwords are old, it's time for a non-linear solution to information security. It doesn't give answers, but rather makes you think about your particular security situation (whatever that may be) from a sideways perspective. You should keep a notebook close while you read it to capture the ideas that spring to mind.

Rating:
Summary: No one does it better....
Review: Like Barbara Tuchman, Stephen Jay Gould, or the late Carl Sagan, Bruce Schneier has the unique ability to take esoteric material and explain it to a general reader in such a way that it sparkles and gleams and comes alive. This is a truly rare gift.

Bruce's own particular area of expertise is cryptography and computer security. SECRETS & LIES is an overview of security within a digital world, written not for the programmer but the general reader. The book is wonderfully written, and bristles with ideas. SECRETS & LIES will make you re-think everything you thought you knew about the security of your computer.

Rating:
Summary: Pithy, Relevant and Indispensable
Review: Beautifully succinct, you can see why this book took years to write.

If you've ever found yourself wondering why computer systems keep getting attacked despite decades of academic research and the best efforts of commercial software companies, this is the book for you. Better yet, Bruce Schneier offers a way forward, provided you can take the blinkers off and look at things from a new perspective.

This is probably the most important book on computer and network security I have ever read.