Product Details

• Amazon Sales Rank: #26052 in Books
• Published on: 2004-01-23
• Original language: English
• Number of items: 1
• Binding: Paperback
• 448 pages

Amazon.co.uk Review
At the moment, it seems that hardly a day passes without fresh news of some glaring Internet security breach; online banks, of all things, seem to be particularly vulnerable at the moment. All of which will come as no great surprise to network security cum cryptography guru, Bruce Schnier. His latest book, Secrets and Lies, paints a very gloomy overview of the true state of network security. Schnier, founder of Counterpane Internet Security, has some harsh words to say about the state of network security, though, to be fair, his criticisms are directed far and wide; not one scapegoat, (not even Microsoft) is singled out for special attention. Depressingly, the words "fundamentally flawed" crop up time and time again in this absorbing book.

Secrets and Lies is a thorough backgrounder in all aspects of network security, an extremely wide remit that stretches from passwords to encryption, passing through authentication and attack trees along the way. The book is divided in to three broad categories, The Landscape, which covers attacks, adversaries and the need for security; Technologies, which discusses cryptography, authentication, network security, secure hardware and security tricks; and concludes with Strategies, which looks at vulnerabilities, risk assessment, security policies and the future of security. Mercifully there's a dim light at the end of this tunnel and Schnier ultimately remains upbeat about maintaining computer security and details a way forward in his conclusion.

Although working in a necessarily techie environment, Schnier's book is surprisingly jargon-free and easy to understand, even if you're not au fait with the inner workings of TCP/IP--it's common-sense, practical style makes a potentially dense and arcane subject accessible by just about anybody. It's also bang up to date, which makes for a pleasant change. Secrets and Lies is never less than thought-provoking and should be essential reading for every network administrator in the land. Be afraid, be very afraid! --Roger Gann

The Economist, September 2000
"Instead of talking algorithms to geeky programmers, he offers a primer in practical computer security aimed at those shopping, communicating or doing business online - almost everyone in other words."

Business Week - September 18, 2000
The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be. That's why Secrets and Lies belongs in every manager's library.

Customer Reviews

Compulsory reading
The previous reviewer suggests that universities ought to base courses around this book. Well we are doing just that. Last year, Secrets and Lies was recommended reading, but now I have broken the cryptography and the security into two separate teaching streams and this book forms compulsory reading for the security stream (his Applied Cryptography is strongly recommended for the other stream).

This is an excellent book, very approachable, especially for undergraduates. Not ideally structured to be a text book, but then there's not many text books that you'd want students to read from beginning to end, every word. Our students even get to try out some of the defensive mechanisms on an isolated network, and this book tells them of many of the possible pitfalls to guard against, and gives them some idea of just how big and how important a job it is.

Look forward to a generation of security-aware computer science graduates, with a fair bit of help from Mr Schneier and his books!

Comprehensive and entertaining
When the news broke that a Russian cracker had successfully broken into the computer systems of global banking giant Citibank and stolen $12 million, the message was clear: inadequate computer security can cost millions. In Citibank's case, it was not just the money that it lost to the hacker, but many millions more that was subsequently withdrawn by people fearful that their life savings might be at risk. And such incidents are just the tip of the iceberg if the anecdotal evidence presented by Bruce Schneier in Secrets & Lies is any guide. But the most dangerous perpetrators are not necessarily skilled Russian crackers, but the intelligence organisations of major industrialised countries, including America, Britain, China, France and Russia.

Although many are engaged in industrial espionage on behalf of indigenous industries - particularly the French and Chinese secret services, according to Schneier - for the most part, their targets are normally other governments. And often, as the book illustrates, private companies collude: "Crypto AG, a Swiss company, sells encryption hardware to a lot of Third World governments. In 1994, one of their senior executives was arrested by the Iranian government for selling 'bad' cryptographic hardware. When he was released from jail a few years later, he went public with the news that his company had been modifying their equipment for years at the request of US intelligence," says Schneier.

In the corporate world, many incidents such as the Citibank theft never see the light of day, but there are few bounds to the ingenuity of the enterprising cyber-criminal. One included a JavaScript trojan horse program in the description field of a 'product for sale' ad on eBay. In this way, he was able to collect login and password information from anyone that viewed his page.

Others routinely use tools such as L0phtcrack to break into password protected systems. Older networking protocols, that require only seven, case-insensitive characters, can be cracked in hours. "On a 400-MHz Quad Pentium II, L0phtcrack can try every alphanumeric password in 5.5 hours, every alphanumeric password with some common symbols in 45 hours and every possible keyboard password in 480 hours," says Schneier.

And although Microsoft Windows NT does boast 128-bit encryption, the encryption keys are protected by a password system. This means that it is considerably less secure than people think. Indeed, Microsoft is learning only very slowly about how to build strong security into its products. The most important lesson for vendors to follow, says Schneier, is that such measures should be developed openly, and the computer community at large encouraged to test them to the limits before widespread adoption.

As a result, thousands of virtual private networks deployed worldwide are based on Microsoft technology that is littered with security holes. That technology is Microsoft's point-to-point tunnelling protocol (PPTP). "[It's] badly flawed," says Schneier. "They invented their own authentication protocol, their own hash functions and their own key generation algorithm. Every one of these items turned out to be badly flawed," he says. "It wasn't until 1998 that a paper describing the flaws was published. Microsoft quickly posted a series of fixes, which have since been evaluated and still found wanting," warns Schneier.

The reader of Secrets & Lies could be forgiven for thinking that security is futile. Schneier certainly knows his subject inside out. He can not only write knowledgably about such complex subjects as cryptography, but can write strong encryption algorithms himself. Schneier co-authored the Twofish Algorithm, one of the five finalists in the competition for the Advanced Encryption Standard (AES). And his first book, Applied Cryptography, sold more than 130,000 copies worldwide.

Secrets & Lies promises to match such sales. It is comprehensive, puts computer security into a wider context and is illustrated with numerous examples. As a result, not only is it entertaining, but is likely to end up on the reference shelf of thousands of CIOs worldwide.

This book has a lot to offer !
This book isn't what I expected. I thought it would be like a detailed analysis of hacking techniques and vulnerabilities. Instead, Bruce takes an overall look at security and how it affects every aspect of our lives (e.g. smart cars, ATMs, etc.), of course focusing mainly on computer and internet security.

So, I was a little disappointed initially, but as I read on, I was impressed with the depth of knowledge presented with respect to security - as he explains how security is not just prevention (e.g. firewalls), but also about detection and response, which are equally important. Security is a process (not a product) and is a chain only as strong as the weakest link.

It's a great read, and he does discuss cryptography, password cracking - how most passwords are easily crackable (and how it's usually done) - including discussion about l0phtcrack. I really liked the way he included real life security disasters, which made it more interesting.

This book has made me much more aware of security issues and the importance of open source security testing. Highly recommend it.