I’m not sure how I first heard about Bruce Schneier, but his ideas have
appealed to me for a while now. He has an impressive background in computer
cryptography, but his transition to a personality in the field of security that
interests me most. Utilizing a technical background to build a more
socially-relevant identity is a feat I personally hope to accomplish one day
(just like Tony Stark, “Mannie”
Mitchell Hundred). But
enough gushing; let’s talk about the book.
First of all, I bought Secrets &
expecting the kind of social commentary Schneier makes when writing about
“security theater”. This is not that book.
The author is clearly still developing his voice here; his focus is still
largely on technology. Apart from a single brief aside on how people
internalize sensational threats, this book provides little in the way of
That said, Schneier paints a reasoned and cogent picture of computer security.
He also takes pains to demonstrate just how many aspects of computer security
are not novel, exemplifying with analogues in other contexts. This makes the
book a great read for someone who is not comfortable with concepts like network
protocols and program execution.
Many of these concepts are not new to me, but I was pleased to learn about one
aspect of security that I never quite understood: certificate authorities. I
think a working knowledge of how trust works on the web is useful for anyone
routinely using it.
It is worth mentioning that Schneier has a good sense of humor. Given the
subject matter and background of the author, it is easy to imagine a book like
this being extremely dry or emotionless. Thankfully, the author peppers the
book with enough bizarre scenarios and case studies to keep things light.
Originally published in 2000, the Secrets & Lies is beginning to show its age.
While the basic principles Schneier espouses hold true to this day, many of the
examples could definitely use an update. Windows NT is heavily mined for
examples of bad security practices but difficult to relate to today. Today,
entities like Anonymous have merged the concept of “script kiddies” with the
distributed denial-of-service attack model. Schneier covers both of these
topics in detail, but their combination is worth discussing. While this cannot
be held against the book (which is almost prescient in some areas), it leaves
one wanting for more current examples. (Fortunately, the author maintains a
monthly newsletter providing exactly
this kind of up-to-the-moment coverage.)
Schneier concludes the book with an excellent discussion on risk management.
Although it is emotionally gratifying to end on a positive note, it does not
feel like the author is playing our heart strings with this organization. The
topic follows quite logically from the previous chapters, and serves as an
excellent thesis for the book. Unfortunately, the author takes time to draw
parallels between this thesis and his newly-formed security company. This
tinges the conclusion with a feeling of advertising copy and ultimately weakens
As mentioned earlier, I started this book expecting commentary from the mind
that coined the term “security theater”. While I was disappointed in that
regard, I am still happy to have read this book and eager to pick up the next.
For more on Bruce Schneier, visit his website http://www.schneier.com/.