Securius Newsletter

June 26, 2001
Volume 2, Number 5

Secrets and Lies

By Seth Ross

Author: Bruce Schneier
Publisher: Wiley
Pub. Date: August 14, 2000
Length: 432 pages
To buy on

If you're interested in a broad, well-written, and thought-provoking introduction to computer security, pick up a copy of _Secrets & Lies_. For those of us in the encryption business, Bruce Schneier is a god, or at least a minor deity. His Blowfish algorithm has been built into hundreds of data protection programs, including PC Guardian's Encryption Plus(r) line. His first book, _Applied Cryptography_, is the authoritative book on the field, the one reference you need if you need a crypto reference.

_Secrets & Lies_ covers both the landscape of computer security vulnerabilities (what Schneier calls the "vulnerability landscape") and the technologies that can be deployed to diminish or counter-act threats, including chapters on Attacks, Adversaries, Cryptography, Network Security, Software Reliability, and Secure Hardware. The news here is not good. Schneier points out that -- even with strong cryptography -- it's impossible to eliminate threats or prevent computer security breaches.

Schneier notes that computer systems exhibit four properties that make them extremely difficult to secure:

  1. They're complex. Complexity is the enemy of security: there's no way to guarantee security in large complex systems like Windows 2000, which has tens of millions of lines of code.

  2. Because they're complex, they're buggy. More code means more bugs; more bugs mean more vulnerabilities that attackers can exploit.

  3. Computer systems interact with each other, forming larger systems in occasionally unpredictable ways. Microsoft's Passport system ties together hundreds of web sites, providing a big, fat single point-of-failure.

  4. They're emergent and take on features not anticipated by designers. The Internet is an example of an emergent system that's spilled beyond the scope of its original design.

Even if computer systems were simple and bug-free, computer security would still be a problem. Most security problems have more to do with people than technology. You can deploy strong cryptography using long keys, but if your crypto-system relies on human-remembered passwords, it will be vulnerable to brute-force password-cracking programs. As Schneier points out, the average password has less than four bits of entropy per character: the English language simply isn't all that random.

With the "people problem" in mind, Schneier divides the challenge of computer security into three parts: * prevention * detection * response

He points that most computer security products are concerned with prevention: firewalls prevent unauthorized network access, encryption prevents breaches of confidentiality, physical security devices prevent theft, etc. Detection and response often get short shrift in computer security architectures. This isn't how the "real world" works, however.

Take the police. People sometimes think that the role of the police is to prevent crime. But there are more criminals than police personnel on the streets. The police simply can't be everywhere at once, preventing crimes as they happen. They are quite effective, however, at detecting that crimes have occurred. They're also effective at responding to crime (inspecting crime scenes, filing reports, etc.).

This plays into an aspect of _Secret & Lies_ that I found to be mildly disturbing. Schneier argues persuasively that security is a process, not a product, and that there's no substitute for expert detection and response to computer security breaches. Not coincidentally, Schneier is now the Chief Technical Officer of a managed security monitoring firm that offers expert detection and response services for corporate systems. While Schneier's integrity is unimpeachable, his conclusions about detection and response fit a bit too snugly with his new business mission.

My only other complaint about _Secrets & Lies_ really isn't fair: _Secrets & Lies_ is not _Applied Cryptography_. _Applied Cryptography_ is one of the greatest computer books ever published. It belongs to a broader category of works that completely and authoritatively nail down their subjects. If you want to learn cryptography, read _Applied Cryptography_ and you're set. While _Secrets & Lies_ is well written, engaging, and far-reaching, Schneier hasn't nailed down his topic for all time. This criticism isn't fair since Schneier did not set out to create the definitive work on digital security. Nonetheless, that's the book this reviewer wanted him to write.

Schneier is both brilliant and relatively young: maybe he'll write another nail-it-down book someday. In the meantime, I highly recommend _Secrets & Lies_, _Applied Cryptography_, and Schneier's free monthly newsletter Crypto-Gram.

You can find _Secrets & Lies_ on at

You can find _Applied Cryptography_ on at

To subscribe to the Crypto-Gram newsletter:

To find out more about the offerings of Schneier's managed security monitoring firm:

Subscribe to the Securius Newsletter
Please enter your email address: is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.