Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Secrets and lies : digital security in a networked world
Schneier B., John Wiley & Sons, 2004. Type: Book (9780471453802)
Date Reviewed: Feb 2 2005

“Security is a process, not a product.” If one sentence could sum up the content of this book, this would be it. Bruce Schneier, the author of the popular book Applied cryptography [1], takes a U-turn in his thinking on computer security in this book, admitting that the mathematics of cryptography can only lay the foundation on which to base the process of computer security, and that computer security is much more than just mathematical constructions.

First published in 2000, this book was branded a dark book, one that proclaimed the futility of trying to achieve security in a digital system. However, I beg to differ. While the book is full of anecdotes and pieces of information that show the frailty of a security system, what it tries to do is drive in the point that security is closely dependent on various engineering and social practices. As the author states, “Security is a chain; it’s only as secure as the weakest link.” Even though the book was revised (in 2004), I don’t think the author had to make any major changes, because the sad state of security hasn’t changed much since the book was first written.

The book is structured into three parts. In the first part, “The Landscape,” Schneier looks at the unique features of digital threats, the different kinds of attacks, the kinds of adversaries in the playing field, and the overall security needs of a digital system. In the second part, “Technologies,” the author presents the basics of cryptography; computer security models (like Bell-LaPadula); security evaluation criteria; methods of identification and authentication; threats unique to networked computer systems, as well as Internet-based applications and systems; the (un)reliability of computer software; the use of tamper-resistant hardware to design secure systems; and a whole chapter on miscellaneous “security tricks.” It is in this part of the book that the cynical tone of the author comes across with full force. For almost every security mechanism used and described in this part, Schneier points out an incident in real life where these security schemes failed. Several reasons for these failures are discussed. Though these anecdotes may sometimes sound trivial and amusing, they hint at the underlying weakness in our understanding of computer security, and how to achieve it.

Schneier brings back a glimmer of hope in the next part, “Strategies,” where he tackles issues like threat modeling, risk assessment, modeling attack trees, creation of security policies and countermeasures, and product testing, among others. For readers who have read books on cryptography, and who are familiar with the state of security, the first two parts may come across as rehashing of old content. But this third part will most probably be refreshingly new and interesting.

This book is approachable for technical as well as nontechnical readers, which is an outstanding achievement indeed. However, in order to achieve this, it is evident that the author had to make a sacrifice in the thoroughness of the presentation. On several occasions, names are thrown out (“Marcus Ranum,” “Ross Anderson,” and “Steve Bellovin”) without any information on who these people are, or why their views are worth mentioning. Anecdotes and incidents are mentioned without any references or citations. Though the author notes that he “deliberately did not disrupt the flow of text with footnotes or citations,” the absence of this information renders the book a bit less exhaustive and definitive.

I think there are a few books that discuss the materials presented in the first two parts of this book in a more detailed and technical manner (Anderson’s book [2] is one of them). Those who consider themselves technically inclined, and who find the materials in the first two parts worth further study, should consider reading them.

In conclusion, this book is very good for someone new to the field of computer security. All three parts will provide enlightening information on the current state of the subject. For someone who is familiar with the field, Part 3 alone provides enough reasons to read this book.
Reviewer:  Srijith Nair Review #: CR130751 (0510-1090)
1) Schneier, B. Applied cryptography. Wiley, New York, NY, 1996.
2) Anderson, R. J.; , ; , Security engineering: a guide to building dependable distributed systems. Wiley, New York, NY, 2001.
Bookmark and Share
  Reviewer Selected
Editor Recommended
Featured Reviewer 		 
 
Data Encryption (E.3 )
 
 
Security and Protection (C.2.0 ... )
 
 
Security, Integrity, And Protection (H.2.7 ... )
 
 
Database Administration (H.2.7 )
 
 
General (C.2.0 )
 
Would you recommend this review?
yes
no
Other reviews under "Data Encryption": Date
ESA/390 integrated cryptographic facility
Yeh P., Ronald M. S. IBM Systems Journal 30(2): 192-205, 1991. Type: Article		 Feb 1 1992
Design and implementation of an RSA cryptosystem using multiple DSP chips
Er M., Wong D., Sethu A., Ngeow K. Microprocessors & Microsystems 15(7): 369-378, 1991. Type: Article		 Nov 1 1993
An introduction to cryptography
Diffie W. (ed), Hellman M., John Wiley & Sons, Inc., New York, NY, 1984. Type: Book (9780471262336)		 Feb 1 1986
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy