Review of Secrets and Lies

Book Reviews
Home
What's New
Privacy & Individual Rights
Commerce, Security, & the Law
Net Culture, Art, & Literature
International Affairs & National Security
Ethics, Rhetoric, & Metaphysics
Science Fiction

Other Resources
News
Publishers
Other Book Review Sites
Letters
Contact
Copyright

Title: Secrets and Lies
Author: Bruce Schneier
Publisher: Wiley
Copyright: 2000
ISBN: 0-471-25311-1
Pages: 412
Price: $29.99
Rating: 91%

If you're a business person or researcher who has anything to do with evaluating and purchasing computer-related security systems, you should read Secrets and Lies. Period. Even though this book has been on the market for a while, it still sold out quickly at the O'Reilly Emerging Technology Conference this June (2002). I mention this fact because the folks at O'Reilly conferences tend to be pretty discerning in what they read.

Bruce Schneier, the founder and Chief Technical Officer of Counterpane Internet Security, isn't a guy who shies away from controversial subjects. His monthly newsletter features products and services he feels are snake oil, and he's railed against both the government and the big computer and entertainment firms (Microsoft and Disney figure prominently) when he feels they've transgressed.

Schneier's goal in Secrets and Lies is to give the executive or manager who's neck is on the line for information security a basis from which to evaluate the products and services at their disposal. Schneier covers all of the basics of computer security (encryption, intrusion detection systems, firewalls, and so on), but what sets his book apart from most of the competition is his ability to jump up a conceptual level and argue why some security solutions are better than others. One typical passage, which warns against accepting claims from companies that their proprietary security scheme is a sure-fire bet against evildoers:

"A good security design has no secrets in its details. In other words, all of the security is in the product itself and its changeable secret: the cryptographic keys, the passwords, the tokens, and so forth. The antithesis is security by obscurity: the details of the system are part of the security. If a system is designed with security by obscurity, then that security is delicate. As the designers of the once-proprietary digital cellular security systems, the DVD encryption scheme, and the Firewire interface learned, sooner or later the details will be released. A bad system design is secure as long as the details remain secret, but quickly breaks once they are released. A good system design is secure even if the details are public." [p. 344]

Another practical issue Schneier mentions, which I hadn't seen in any other computer security books that also cover the technical side of security in some detail, is the issue of insuring your information systems against damage or liability. As systems become increasingly entangled with corporate revenue and identity, it makes sense that companies will insure their investment against loss. The problem is that you can't quantify the risks if you don't understand the environment, and it's very hard to quantify the potential exposure should something go wrong, so the insurance companies either refuse to issue a policy or charge ridiculous premiums.

If you haven't read Secrets and Lies yet, you should. If you have read it but it's been a while, take it along for your next plane ride.

Curtis D. Frye (cfrye@teleport.com) is the editor and chief reviewer of Technology and Society Book Reviews. He is also the author of three online courses and ten books , including Privacy-Enhanced Business from Quorum Books.