Joined: 04 Mar 2003
|Posted: Wed Feb 25, 2004 3:36 pm Post subject: Book Review - Secrets & Lies
Secrets & Lies
Author(s): Bruce Schneier
Book Specifications: Soft-Cover, 414 pages
Category: Computer Security Miscellaneous
User Level: Beginner
Suggested Publisher Price: $17.95 USA/ $25.99 CAN/ £14.09 Net UK (inc of VAT)
Amazon.co.uk: Secrets & Lies UK
Amazon.com: Secrets & Lies US
Info from Back: "Viruses. Identity theft. Corporate espionage. National secrets compromised. Can anyone promise security in our digital world? The man who introduced cryptography to the boardroom says no. But in this fascinating read, he shows us how to come closer by developing security measures in terms of context, tools, and strategy. Security is a process, not a product Ė one that system administrators and corporate executives alike must understand to survive.Ē
To a large segment of the public it must seem as if the cyber sky is falling on a daily basis with all of the viruses, and worms floating around the web today. These e-borne threats then get reported in the news, and print media with juicy headlines. In addition to all the problems that malware are creating for networks world wide is the doom and gloom coming from many commentators about the state of the internets security, or more pointedly lack thereof.
If all this hype, and sometimes hysteria were to be believed one would be best to disconnect their computer, and revert to snail mail. One disservice that all this media hype has created is the belief that it is no longer safe to use a computer. This goes for everyday email to online shopping. Quite the opposite is true of course. As is the case with most things education is the key to dispelling myths, and misinformation. When it comes to the internet the aforementioned two have a stranglehold on many.
In this book the author attempts to convey to the reader the reality of the web today, and how it can be tamed as it were. Provided over the books pages is a general feel for things and how to correct some of them. A newcomer to the computer world would be well advised to read this book. Though it is just that a book for beginners, as any seasoned computer user will already be aware of much of this books contents.
Content & Overview
In the first part of the book the author details very briefly some of the more well known problems out there today on the web. Things such as denial of service attacks, identity theft, database hacks, among others are covered quickly. Following this is the introduction of the shady crew that may want a piece of your computer assets. Detailed by the author is a rogues gallery ranging from the stock malicious hacker, to spies such as Aldrich Ames, and onwards to terrorist groups. All of these various threat types may have different motivations, but all realize where the information is actually stored ie: the computer. This is in addition to the corporate spy as well which the author includes. After all why spends billions in research and development if a simple million or two will do the trick in obtaining the schematics or formula.
Next in the book is a part on the technologies out there today and how they impact computer security. This ranges from the authors area of expertise ie: cryptology to authentication/identification schemes such, as pgp, access tokens, and various others. Detailed are some of the problems facing network security as well like the ever present mobile code problems like worms, and viruses. Presented as a balance are some ways of mitigating this threat as well, and their overall effectiveness. Covered also is the use of PKI, and digital certificates. Rounding out this part of the book is one of the most pernicious threats to computer security, the human interface. Computers themselves are largely safe the danger often comes from the user themselves interacting with it in an improper fashion.
Wrapping up the book are ways in which to try and mitigate many of the problems today experienced by computer networks by dealing with them at a strategic level. Vulnerabilities, threat modeling and risk assessment, security policies, and others areas are discussed here. This is a high level approach shown by the author as a way of stemming the tide as it were.
Style and Detail
The information covered in this book is relayed to the reader in a nice informal fashion. Topics that are covered in this book can be confusing, or overwhelming at times to someone who is not used to the material. Through the explanation of everyday subject matter like ATMís, pgp, and other technologies the reader is able to grasp easily what the author is explaining. Seen as the topics detailed relate to everyday life for most of us it is a relatively simple, and informative read.
Quality of the physical book itself is quite nice as well. The overall dimensions of the book are good, as it is not too big to lug around on the bus. Paper quality of the pages is nice and meaty which is a welcome change from the razor thin stuff of some books. My one annoyance at the style of this book though comes directly from the author himself. On one hand the author attempts to dispel some internet myths with fact, but then turns around and enforces other ones. To whit, the old tired stereotype of the hacker being surrounded by empty pizza boxes, and cans of Jolt cola. I canít say I know of anyone personally that is surrounded by the aforementioned while hacking. Note here as well that by hacking I mean learning, and not the media induced definition of hacking.
As an overall treatment of computer security, and its implications this book does a good job. I would venture though that this book is best aimed at the novice or beginner to computers. Having said that there is bound to be material in here that those with computer experience are not aware of as well. It rates as recommended reading.
This book gets an SFDC 7/10 from me
Keywords for this post: Secrets & Lies
This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.