Secrets and Lies
By Seth Ross
Author: Bruce Schneier
Pub. Date: August 14, 2000
Length: 432 pages
To buy on Amazon.com:
If you're interested in a broad, well-written, and thought-provoking
introduction to computer security, pick up a copy of _Secrets &
Lies_. For those of us in the encryption business, Bruce Schneier
is a god, or at least a minor deity. His Blowfish algorithm has
been built into hundreds of data protection programs, including
PC Guardian's Encryption Plus(r) line. His first book, _Applied
Cryptography_, is the authoritative book on the field, the one reference
you need if you need a crypto reference.
_Secrets & Lies_ covers both the landscape of computer security
vulnerabilities (what Schneier calls the "vulnerability landscape")
and the technologies that can be deployed to diminish or counter-act
threats, including chapters on Attacks, Adversaries, Cryptography,
Network Security, Software Reliability, and Secure Hardware. The
news here is not good. Schneier points out that -- even with strong
cryptography -- it's impossible to eliminate threats or prevent
computer security breaches.
Schneier notes that computer systems exhibit four properties that
make them extremely difficult to secure:
- They're complex. Complexity is the enemy of security: there's
no way to guarantee security in large complex systems like Windows
2000, which has tens of millions of lines of code.
- Because they're complex, they're buggy. More code means more
bugs; more bugs mean more vulnerabilities that attackers can exploit.
- Computer systems interact with each other, forming larger systems
in occasionally unpredictable ways. Microsoft's Passport system
ties together hundreds of web sites, providing a big, fat single
- They're emergent and take on features not anticipated by designers.
The Internet is an example of an emergent system that's spilled
beyond the scope of its original design.
Even if computer systems were simple and bug-free, computer security
would still be a problem. Most security problems have more to do
with people than technology. You can deploy strong cryptography
using long keys, but if your crypto-system relies on human-remembered
passwords, it will be vulnerable to brute-force password-cracking
programs. As Schneier points out, the average password has less
than four bits of entropy per character: the English language simply
isn't all that random.
With the "people problem" in mind, Schneier divides the challenge
of computer security into three parts: * prevention * detection
He points that most computer security products are concerned with
prevention: firewalls prevent unauthorized network access, encryption
prevents breaches of confidentiality, physical security devices
prevent theft, etc. Detection and response often get short shrift
in computer security architectures. This isn't how the "real world"
Take the police. People sometimes think that the role of the police
is to prevent crime. But there are more criminals than police personnel
on the streets. The police simply can't be everywhere at once, preventing
crimes as they happen. They are quite effective, however, at detecting
that crimes have occurred. They're also effective at responding
to crime (inspecting crime scenes, filing reports, etc.).
This plays into an aspect of _Secret & Lies_ that I found to be
mildly disturbing. Schneier argues persuasively that security is
a process, not a product, and that there's no substitute for expert
detection and response to computer security breaches. Not coincidentally,
Schneier is now the Chief Technical Officer of a managed security
monitoring firm that offers expert detection and response services
for corporate systems. While Schneier's integrity is unimpeachable,
his conclusions about detection and response fit a bit too snugly
with his new business mission.
My only other complaint about _Secrets & Lies_ really isn't fair:
_Secrets & Lies_ is not _Applied Cryptography_. _Applied Cryptography_
is one of the greatest computer books ever published. It belongs
to a broader category of works that completely and authoritatively
nail down their subjects. If you want to learn cryptography, read
_Applied Cryptography_ and you're set. While _Secrets & Lies_ is
well written, engaging, and far-reaching, Schneier hasn't nailed
down his topic for all time. This criticism isn't fair since Schneier
did not set out to create the definitive work on digital security.
Nonetheless, that's the book this reviewer wanted him to write.
Schneier is both brilliant and relatively young: maybe he'll write
another nail-it-down book someday. In the meantime, I highly recommend
_Secrets & Lies_, _Applied Cryptography_, and Schneier's free monthly
You can find _Secrets & Lies_ on Amazon.com at
You can find _Applied Cryptography_ on Amazon.com at
To subscribe to the Crypto-Gram newsletter:
To find out more about the offerings of Schneier's managed security