|
|||
Book Reviews Home What's New Privacy & Individual Rights Commerce, Security, & the Law Net Culture, Art, & Literature International Affairs & National Security Ethics, Rhetoric, & Metaphysics Science Fiction Other Resources News Publishers Other Book Review Sites Letters Contact Copyright |
|
||
If you're a business person or researcher who has anything
to do with evaluating and purchasing computer-related security systems, you
should read Secrets and Lies. Period. Even though this book has been
on the market for a while, it still sold out quickly at the O'Reilly
Emerging Technology Conference this June (2002). I mention this fact because
the folks at O'Reilly conferences tend to be pretty discerning in what they
read. Bruce Schneier, the founder and Chief Technical Officer of Counterpane Internet Security, isn't a guy who shies away from controversial subjects. His monthly newsletter features products and services he feels are snake oil, and he's railed against both the government and the big computer and entertainment firms (Microsoft and Disney figure prominently) when he feels they've transgressed. Schneier's goal in Secrets and Lies is to give the executive or manager who's neck is on the line for information security a basis from which to evaluate the products and services at their disposal. Schneier covers all of the basics of computer security (encryption, intrusion detection systems, firewalls, and so on), but what sets his book apart from most of the competition is his ability to jump up a conceptual level and argue why some security solutions are better than others. One typical passage, which warns against accepting claims from companies that their proprietary security scheme is a sure-fire bet against evildoers: "A good security design has no secrets in its details. In other words, all of the security is in the product itself and its changeable secret: the cryptographic keys, the passwords, the tokens, and so forth. The antithesis is security by obscurity: the details of the system are part of the security. If a system is designed with security by obscurity, then that security is delicate. As the designers of the once-proprietary digital cellular security systems, the DVD encryption scheme, and the Firewire interface learned, sooner or later the details will be released. A bad system design is secure as long as the details remain secret, but quickly breaks once they are released. A good system design is secure even if the details are public." [p. 344] Another practical issue Schneier mentions, which I hadn't seen in any other computer security books that also cover the technical side of security in some detail, is the issue of insuring your information systems against damage or liability. As systems become increasingly entangled with corporate revenue and identity, it makes sense that companies will insure their investment against loss. The problem is that you can't quantify the risks if you don't understand the environment, and it's very hard to quantify the potential exposure should something go wrong, so the insurance companies either refuse to issue a policy or charge ridiculous premiums. If you haven't read Secrets and Lies yet, you should. If you have read it but it's been a while, take it along for your next plane ride. Curtis D. Frye (cfrye@teleport.com) is the editor and chief reviewer of Technology and Society Book Reviews. He is also the author of three online courses and ten books , including Privacy-Enhanced Business from Quorum Books. |