Secrets and Lies: Digital Security in a Networked World - Hardcover

Review

At the moment, it seems that hardly a day passes without fresh news of some glaring Internet security breach; online banks, of all things, seem to be particularly vulnerable at the moment. All of which will come as no great surprise to network security cum cryptography guru, Bruce Schnier. His latest book, Secrets and Lies, paints a very gloomy overview of the true state of network security. Schnier, founder of Counterpane Internet Security, has some harsh words to say about the state of network security, though, to be fair, his criticisms are directed far and wide; not one scapegoat, (not even Microsoft) is singled out for special attention. Depressingly, the words "fundamentally flawed" crop up time and time again in this absorbing book.

Secrets and Lies is a thorough backgrounder in all aspects of network security, an extremely wide remit that stretches from passwords to encryption, passing through authentication and attack trees along the way. The book is divided in to three broad categories, The Landscape, which covers attacks, adversaries and the need for security; Technologies, which discusses cryptography, authentication, network security, secure hardware and security tricks; and concludes with Strategies, which looks at vulnerabilities, risk assessment, security policies and the future of security. Mercifully there's a dim light at the end of this tunnel and Schnier ultimately remains upbeat about maintaining computer security and details a way forward in his conclusion.

Although working in a necessarily techie environment, Schnier's book is surprisingly jargon-free and easy to understand, even if you're not au fait with the inner workings of TCP/IP--it's common-sense, practical style makes a potentially dense and arcane subject accessible by just about anybody. It's also bang up to date, which makes for a pleasant change. Secrets and Lies is never less than thought-provoking and should be essential reading for every network administrator in the land. Be afraid, be very afraid! --Roger Gann

Review

"...a good read..." "The book is interesting [and] educational..." -- E-business, Jan 2001

"...a very practical guide..." -- Webspace, October 2000

"...make yourself better informed. Read this book." -- CVu, The Journal of the ACCU, Vol 16(3), June 2004

"A thoroughly practical and accessible guide to achieving security" -- Webspace, August 2001

"Instead of talking algorithms to geeky programmers, he offers a primer in practical computer security aimed at those shopping, communicating or doing business online - almost everyone in other words." -- The Economist, September 2000

"One of the better-selling books on computer security..... It's a funny, informed book that points out that hackers exploit human weaknesses." -- Professional Security, May 2001

"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun.." -- New Scientist, 2nd September 2000

A Security State of Mind It's not encryption. It's not a password. It's not connecting through a VPN or an anonymizing service. Security means vastly different things to a national government, an e-commerce site, or a home user. Governments are rightly paranoid about little things like their military preparedness, new weapons systems, communications codes, and sensitive information about other governments. E-commerce sites amass records for millions of consumers; a break-in could net huge numbers of credit cards. Businesses are constantly evolving, and your chief competitor would love to know what you're up to. On the personal level, most of us don't have anything quite so vital as state secrets to protect, but theft of numbers and information that we use every day can make our lives a living hell. You only have to talk to one victim of identity theft to understand the excruciating-agony of suddenly being victimized by technology, as computers reject your bank and credit cards, and credit reports repeatedly reflect some crook's misadventures with your name and money. -- Lock on Net Security Los Angeles Times by Charles Piller

As an editor at a computer publication in the early 1990s, I hired a freelance security expert to evaluate anti-virus software. After extensive testing he faxed the results; unfortunately, the fax went to one of my publication's direct competitors. His gaffe demonstrated why we will never see fail-safe computer security: human error. That premise emerged as a central theme of a new book written by the same freelancer, now a leading security expert. "Secrets and Lies: Digital Security in a Networked World" (John Wiley & Sons, 2000, $29.99), by Bruce Schneier, is a compelling brief on the industry's most obsessive anxiety. It's not a story for the faint of heart. Schneier's scary world makes the Wild West--to which the Internet is often compared--look like kindergarten. (For every gory detail on computer crime, check out "Tangled Web," by Richard Power; Que, 2000, $25.) "Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks--such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers--made headlines. Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages. A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats." "Script kiddies"--wannabes who use turnkey hacking tools they find posted on the Web--may be emerging as the biggest threat. Schneier explains the reasons for this grim scenario in simple truths: * In the hacking wars, technology favors offense over defense. * Complexity is the enemy of security, and the Internet is the mother of all complex systems. * Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities. * People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data) that it said would take more than 149 trillion years to crack. Then again, if you use your name or the word "password" as a decoding key--typical among lazy computer users--a neophyte hacker would need about five minutes. Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised. It's not hard to imagine why security software developers would be short on confidence--their products are nearly always developed in a vacuum. "A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"--probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough." "If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day." A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users--as individuals or employees--must understand their role in protecting information--instead of naively relying on software tools to work without human vigilance. So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign. So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks. Dopey business plans are a bigger threat to the "dot-com" world, and the sale of personal data by marketers a bigger threat to individuals,than hackers will ever be. -- TECHNOLOGY YOU By Stephen H. Wildstrom

Be thankful cryptography guru Bruce Schneier works for the good guys. The founder and C.T.O. of Counterpane Internet Security knows just how weak your company's security really is. You could wait and find out in September, when his new book, Secrets and Lies: Digital Security in the Networked World comes out. Or you can keep reading.

How would you describe the current state of online security?
Terrible. The products that claim to provide security actually don't do a very good job. They're not implemented, installed, or operated properly. We see a half-million credit card numbers stolen from a site, or we see that everybody's Hotmail accounts have been accessible to anyone, but nobody has noticed. I think that's very, very common and that it just hits the press when somebody notices. Most of the time nobody notices.

Is there a solution?
Realistically, we're losing. Things are not getting better. They're getting worse, primarily because they're getting more complex. Complexity is the enemy of security. Windows NT 4.0 had 16 million lines of code; Windows 2000 has 35 million to 60 million lines of code. So the number of bugs is going to double or triple. If we're seeing one security flaw a week with NT, in Windows 2000 we're going to see three a week or more. And now everything is connected. What [the Melissa virus] taught us is now Microsoft Word is a network product. As things get interconnected, things can break each other.

Could all this solved with better programming practices?
Better programming practices equal slower development and more money. If you walk into Microsoft and say' " Great - let's use better programming practices." Your operating system will be delayed by three years, and it will cost twice as much. They will show you the door.

The market place doesn't reward security because there's no liability. When we found out that Hotmail wasn't protecting anybody's security, there were no screams of liability. It's almost as if someone builds a building and it collapses and they say, "wait until building 1.1. that will be strong." (Thomas Claburn, Smart Business (formerly PC Computing), April 2000) -- Thomas Claburn, Smart Business (formerly PC Computing), April 2000