===============================================================
T H E   S E C U R I U S   N E W S L E T T E R
===============================================================
June 26, 2001 | Vol. 2, #05 | http://www.securius.com/

CONTENTS:
SECRETS & LIES -- BOOK REVIEW

===============================================================
A service of PC Guardian | San Rafael, California
Computer security products | http://www.pcguardian.com/
"Protecting Computers & Data Worldwide -- Since 1984"
===============================================================

--------------------------------------------------------
BOOK REVIEW -- SECRETS & LIES: DIGITAL SECURITY IN A NETWORKED WORLD
--------------------------------------------------------
Author: Bruce Schneier
Publisher: Wiley
Pub. Date: August 14, 2000
Length: 432 pages 
To buy on Amazon.com:
http://www.amazon.com/exec/obidos/ASIN/0471253111/pcguardian-20

If you're interested in a broad, well-written, and thought-provoking
introduction to computer security, pick up a copy of _Secrets &
Lies_. For those of us in the encryption business, Bruce Schneier
is a god, or at least a minor deity. His Blowfish algorithm has
been built into hundreds of data protection programs, including
PC Guardian's Encryption Plus(r) line. His first book, _Applied
Cryptography_, is the authoritative book on the field, the one
reference you need if you need a crypto reference.

_Secrets & Lies_ covers both the landscape of computer security
vulnerabilities (what Schneier calls the "vulnerability landscape")
and the technologies that can be deployed to diminish or counter-act
threats, including chapters on Attacks, Adversaries, Cryptography,
Network Security, Software Reliability, and Secure Hardware. The
news here is not good. Schneier points out that -- even with strong
cryptography -- it's impossible to eliminate threats or prevent
computer security breaches.

Schneier notes that computer systems exhibit four properties that
make them extremely difficult to secure:

1. They're complex. Complexity is the enemy of security: there's
no way to guarantee security in large complex systems like Windows
2000, which has tens of millions of lines of code.

2. Because they're complex, they're buggy. More code means more bugs;
more bugs mean more vulnerabilities that attackers can exploit.

3. Computer systems interact with each other, forming larger systems
in occasionally unpredictable ways. Microsoft's Passport system ties
together hundreds of web sites, providing a big, fat single
point-of-failure.

4. They're emergent and take on features not anticipated by
designers. The Internet is an example of an emergent system that's
spilled beyond the scope of its original design.

Even if computer systems were simple and bug-free, computer security
would still be a problem. Most security problems have more to do
with people than technology. You can deploy strong cryptography
using long keys, but if your crypto-system relies on human-remembered
passwords, it will be vulnerable to brute-force password-cracking
programs. As Schneier points out, the average password has less
than four bits of entropy per character: the English language simply
isn't all that random.

With the "people problem" in mind, Schneier divides the challenge
of computer security into three parts:
* prevention
* detection
* response

He points that most computer security products are concerned with
prevention: firewalls prevent unauthorized network access, encryption
prevents breaches of confidentiality, physical security devices
prevent theft, etc. Detection and response often get short shrift
in computer security architectures. This isn't how the "real world"
works, however.

Take the police. People sometimes think that the role of the police
is to prevent crime. But there are more criminals than police
personnel on the streets. The police simply can't be everywhere at
once, preventing crimes as they happen. They are quite effective,
however, at detecting that crimes have occurred. They're also
effective at responding to crime (inspecting crime scenes, filing
reports, etc.).

This plays into an aspect of _Secret & Lies_ that I found to be
mildly disturbing. Schneier argues persuasively that security is
a process, not a product, and that there's no substitute for expert
detection and response to computer security breaches. Not
coincidentally, Schneier is now the Chief Technical Officer of
a managed security monitoring firm that offers expert detection
and response services for corporate systems. While Schneier's
integrity is unimpeachable, his conclusions about detection and
response fit a bit too snugly with his new business mission.

My only other complaint about _Secrets & Lies_ really isn't fair:
_Secrets & Lies_ is not _Applied Cryptography_. _Applied
Cryptography_ is one of the greatest computer books ever published.
It belongs to a broader category of works that completely and
authoritatively nail down their subjects. If you want to learn
cryptography, read _Applied Cryptography_ and you're set. While
_Secrets & Lies_ is well written, engaging, and far-reaching,
Schneier hasn't nailed down his topic for all time. This criticism
isn't fair since Schneier did not set out to create the definitive
work on digital security. Nonetheless, that's the book this reviewer
wanted him to write.

Schneier is both brilliant and relatively young: maybe he'll write
another nail-it-down book someday. In the meantime, I highly recommend
_Secrets & Lies_, _Applied Cryptography_, and Schneier's free monthly
newsletter Crypto-Gram.

You can find _Secrets & Lies_ on Amazon.com at
http://www.amazon.com/exec/obidos/ASIN/0471253111/pcguardian-20

You can find _Applied Cryptography_ on Amazon.com at
http://www.amazon.com/exec/obidos/ASIN/0471117099/pcguardian-20

To subscribe to the Crypto-Gram newsletter:
http://www.counterpane.com/crypto-gram.html

To find out more about the offerings of Schneier's managed security
monitoring firm:
http://www.counterpane.com/

See you next issue, when I'll pull some snake oil out of my bag
of tricks. 'Til then, keep your guard up!

/------------------ BEGIN ADVERTISEMENT ------------------\

Summer is officially here and PC Guardian is celebrating with an
Independence Day Celebration Online Sale. Visit us today and
receive a 30% discount on any single-user copy of the following
encryption software programs:

> Encryption Plus Folders
> Encryption Plus Email
> Encryption Plus Personal
> Encryption Plus Secure Export
> Encryption Plus CD-ROM Personal

Time is limited, so take advantage of this special discount today at:

     http://www.pcguardian.com/store/ 

\------------------- END ADVERTISEMENT -------------------/ 

===============================================================
ABOUT THIS NEWSLETTER
The Securius Newsletter is published monthly by PC Guardian.
For information about our simple and effective crypto software
and anti-theft devices, please visit us at
http://www.pcguardian.com/

To download our crypto software, visit
http://www.pcguardian.com/securius_download/

You can find our archive of back issues at
http://www.securius.com/newsletter/archive/

SUBSCRIBING/UNSUBSCRIBING
To unsubscribe from this newsletter, send an email to
leave-securius-nl@lists.securius.com

To subscribe to this newsletter, send an email to
join-securius-nl@lists.securius.com

FEEDBACK OR QUESTIONS
Write the author, Seth T. Ross
sross@pcguardian.com
PC Guardian
1133 East Francisco Blvd.
San Rafael, CA 94901 US

ABOUT THE AUTHOR
Seth is the Chief Strategy Officer at PC Guardian and author of
the book, _UNIX System Security Tools_ (McGraw-Hill 1999):
http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20

SPECIAL THANKS TO
Emily Navarre, editor extraordinaire

FORWARD THIS MAIL RIGHT NOW
Please take a moment and forward this newsletter to a colleague
or friend.
===============================================================

Redistribution of this newsletter is permitted, as long as the
entire message body and this notice are included.
Copyright 2001 PC Guardian. All rights reserved.