MeatballWiki | RecentChanges | Random Page | Indices | Categories
Secrets and Lies: Digital Security in a Networked World by BruceSchneier, ISBN 0-471-25311-1 (alternate, search).
The author's company website has a some background information and book excerpts . An independent review by Linux Weekly News is also available online .
- Security is never black and white, and context matters more than technology.
- Against Uncle Steve, almost any countermeasure works; there's no need for complex security software. Against the skilled user, no countermeasure works.
- It is fundamentally impossible to prevent attacks.
The book seems geared towards decision makers at companies that have no in-depths understand of security these days. The messages are pretty simple: No security is perfect. A strategy that depends on perfect security is doomed to fail. You need detection and response. The rest of the book is a well structured report on why this is so, examining current technologies, current practices, citing tons of historic material. Witty and entertaining, it makes a good read, unless you are allready well aquainted with the risks.
See AppliedCryptography for the author's previous book focusing on encryption technology.
See news:comp.risks and the comp.risks archive .
An excerpt from the LWN review:
- The core point in the book is that technical measures can never be expected to provide security for computers and data. There will always be ways to defeat those measures; all that can really be done is make it harder.
- And, in this respect, computer security is just like security in the real world. Door locks are not an absolute solution to burglary; heavy vaults are not sufficient to make a bank secure; car alarms do not keep a car from being stolen. In the same way, cryptography, firewalls, and passwords will not make a computer unassailably secure.
- The physical world gets by, usually, even with imperfect preventive measures against crime. The key is to not rely on prevention only. What is needed, along with prevention, is detection and response. A bank vault is a preventive measure; the alarm system supplies detection, and guards, police, and the court system handle the response. All of these measures, together, make most banks secure enough. Most of the time. Then there's insurance for the remaining cases.
See also UnlockedDoors.
The above misses one of the major points of the book - that computer security, just like security in the real world, is about RiskManagement. Schneier argues that while computers can never be made perfectly secure, they can be made SecureEnough. Nothing is ever impregnable, but it can be hard enough to break into that break-ins will happen only rarely. --ErikDeBill