Customer Reviews


143 Reviews
5 star:
 (90)
4 star:
 (32)
3 star:
 (8)
2 star:
 (7)
1 star:
 (6)
 
 
 
 
 
Average Customer Review
Share your thoughts with other customers
Create your own review
 
 

The most helpful favorable review
The most helpful critical review


127 of 134 people found the following review helpful
5.0 out of 5 stars A must-read for true computer security professionals
I am an Air Force officer and technical resource for a 50-person military intrusion detection operation. I've seen Bruce speak twice and he never fails to impress. "Secrets and Lies" is no different. This book is not designed to teach readers about the latest security technologies. It was not written to promote specific products, although Bruce explains how...
Published on October 29, 2000 by Richard Bejtlich

versus
18 of 21 people found the following review helpful
3.0 out of 5 stars Why Digital Security Isn't!
Bruce Schneier has an M.S. in Computer Science from American University and a B.S. in Physics from the University of Rochester but he is self-educated in the areas of computer security and cryptography. An acknowledged expert in the field of cryptography, he has written eight books and dozens of articles on topics as wide ranging as techniques for securing installations...
Published on February 23, 2002


‹ Previous | 1 215 | Next ›
Most Helpful First | Newest First

127 of 134 people found the following review helpful
5.0 out of 5 stars A must-read for true computer security professionals, October 29, 2000
I am an Air Force officer and technical resource for a 50-person military intrusion detection operation. I've seen Bruce speak twice and he never fails to impress. "Secrets and Lies" is no different. This book is not designed to teach readers about the latest security technologies. It was not written to promote specific products, although Bruce explains how the book's themes caused him to revamp his Counterpane firm. What the book does is teach security professionals how to think about their craft. I would recommend it to everyone in the field from day one, but its deeper meanings would probably not be evident until a year's work on the front lines.
Some of the ideas aren't new. For example, I've heard members of the L0pht petition for a software Underwriter's Lab for years, and others have encouraged liability laws for software vendors. Bruce builds on these ideas and weaves them into his own prescription for dealing with complex and inherently insecure systems. This is the type of book that gives a professional the vocabulary and framework to organize his understanding of the security process. "Secrets and Lies" creates the "little voice" that warns against a vendor's promises to solve all your problems with a $30,000 box-of-wonders.
Of particular interest to me, after training in economics, is Bruce's insistence that "the buying public has no way to differentiate real security from bad security." It logicially follows that the market cannot address this problem, since "perfect information" does not exist. Therefore, outside organizations (perhaps an FDA for software?) should get involved, but not by outlawing reverse engineering and security tools.
I give five stars to books that make the complex simple, that reveal and enhance technical details, or that change the way I look at the world. This book fits two, and possibly three of those categories. Bravo, Bruce.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


85 of 91 people found the following review helpful
5.0 out of 5 stars Excellent intro infosec book that everyone should read, September 17, 2000
By 
J. G. Heiser (Sunninghill, Berks) - See all my reviews
Verified Purchase(What's this?)
Written by one of my favorite industry commentators, this is an introductory text on information security that should be useful to just about everyone. I highly recommend this book for the following audiences:
· Beginning security specialists
· IS and other business managers who make decisions about systems deployment
· Experienced security practitioners who want to improve their thinking and analysis skills
· Those studying for security certification, such as the CISSP
· Software and Internet product planning and marketing staff (and not just security software)
Schneier, who is recognized for his contributions to cryptography, has recently found religion. As recounted in a recent interview in "Information Security" magazine, he realized that humans were destroying the purity of his mathematical approach. Instead of retreating into academia, he tackled this issue head-on, some of the result of which is this landmark book. He recommends reading it cover to cover, and I agree with him-it takes all 400 pages to paint the complete story, and if you don't approach it linearly, you run the risk of missing the subtleties of the author's message. Skimming this book could easily trap a reader into equating vulnerability with risk. The world is full of risk, and while Schneier takes obvious delight in deconstructing the vulnerabilities of automated systems, it is important to understand that historical manual systems are quite vulnerable too, and humans deal with the risk quite nicely. Read the whole book.
The chapters that I found most significant included:
· (6 & 7) Cryptography: It is no surprise that he was written a terrific introduction to the concepts and building blocks (primitives and protocols) of encryption. Even techno-agnostics will find great value in his discussion of the problems with proprietary algorithms.
· (9) Identification & Authentication: An excellent introduction to the problems of passwords and helpful discussion of the limitations of biometrics. He makes it clear why biometrics are NOT a magic cure for security problems.
· (12) Network Defenses: Schneier tells it like it is! The ugly truth about sexy security toys.
· (13) Software Reliability: Best description of stack overflow that I've ever seen for a lay audience.
· (22) Product Testing and Verification: After crypto, evaluating software for security flaws is Schneier's other specialty, and he's written an awesome chapter. The author makes it very clear why it is unrealistic to expect invulnerable software, he single-handedly conducts a totally balanced debate on the merits of full disclosure, and he finishes the chapter with sage advice on approaching security product reviews with healthy skepticism.
I'm often asked to recommend introductory texts on information security, and unfortunately there really aren't that many good books for a newbie. If more books existed, I would probably give Schneier's book a 4 instead of a 5, but for now, this is one of the best. As he explains in the Afterward, his `epiphany' occurred only 12 months before completing the text-this isn't much time to become an expert in security process. His background is somewhat removed from day to day operations, and perhaps this lack of administrative experience results in a few weak areas. I suggest that the reader exercise some critical thinking and consult additional authorities when reading the following chapters:
· (4) Adversaries: his concept of computer criminals is a bit weak, pretty much lumping all transgressors into the mutually exclusive categories of `spy' or `hacker'.
· (5) Security Needs: Sof of his terminology lacks precision (perhaps inevitable when addressing a general audience). I disagree that a spoofed message represents an integrity failure, and I don't characterize audit as a requirement, but as a control.
· (15) Certificates and Credentials: He totally ignores the concept that practice statements (policies on CA and especially certificate management) provide any arbitrary level of assurance-the more stringent the rules, the higher the assurance. He doesn't discuss time stamping and other forms of third-party witnessing that can greatly strengthen a digital signature.
· (16) Security Tricks: His vehement attack on key recovery is politically extreme. The government's ill-conceived desire for key escrow should not affect the responsibility a corporation has to protect its own data. Who hasn't used an encryption product and lost a key?
· (21) Attack Trees: This is a marvelously useful idea, but he leaves the impression that these can be used to create quantifiable risk models, and I don't believe that putting information security risk in dollar value terms is practical.
Despite its length, the book is a quick read, and the informal tone makes it very approachable. It is addressed at a completely different audience than "Applied Cryptography"--it isn't a technical book--it is more of a business book. (Technical specialists would be well advised to read more business texts like this.) My copy is already well marked with highlighting and notes-this text has a lot of meat in it, and many new and useful ideas. If you find this book helpful in your job and you want to do additional reading, two complementary texts on the human aspects of infosec that I recommend are "The Process of Network Security" by Thomas Wadlow, and "Fighting Computer Crime : A New Framework for Protecting Information" by Donn B. Parker (I've reviewed both here on Amazon).
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


41 of 42 people found the following review helpful
5.0 out of 5 stars Secrets and Lies and Schneier, oh my, September 6, 2000
By A Customer
_Secrets and Lies_ is a necessary book for everyone who wonders about privacy and security on the Internet--that is to say, everyone. Schneier discusses the threats in cyberspace, the technologies to combat them, and (most importantly) the strategies that make those technologies work. It's not surprising that the technical information is solid. What might be surprising to some, though, is how lucid and funny Schneier's writing is. He doesn't talk down to readers, but you don't have to be a complete techie to understand what he's saying.
Schneier's discussion of where things are and where they're going is fascinating and informative. I was especially interested by the legal stuff--many of the laws designed to enhance security and privacy actually damage it. Read this book, make your boss read it, make your IT manager read it, and send a copy to your congresscritter. It might just help make the Net safer.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


18 of 20 people found the following review helpful
5.0 out of 5 stars Classic Schneier, August 21, 2000
By 
Ryan L. Russell (El Cerrito, CA USA) - See all my reviews
(REAL NAME)   
If you're a fan of Bruce Schneier, whether it be his live presentations, his books, or Crypto-Gram, then you'll love this book. Bruce has shifted his focus away somewhat from the deep technical details that he has in "Applied Cryptography." In this book, he delves more into the hows and whys of security, and focuses heavily on the trade-offs that reality forces security people to make. This book is a must-read for anyone responsible for making security decisions.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


16 of 18 people found the following review helpful
5.0 out of 5 stars goes past the technology, August 31, 2000
Bruce has rightfully earned his reputation by explaining the technology of security. In this book he goes past that by explaining that security is a system, a process, and does it in his typical style that makes it completely understandable and actually a fun read. If you're responsible for security matters, you may not like seeing various 'social engineering' hacks exposed, but it's information that you and everyone using a computer these days needs to be aware of. Once again, Bruce brings a straightforward style to bear and makes sometimes difficult subject matter clear to the reader.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


9 of 9 people found the following review helpful
5.0 out of 5 stars An Excellent Security Overview, October 29, 2001
By 
"richg74" (Washington DC Area, USA) - See all my reviews
This book provides a first-rate overview of security issues and problems that is well-written for its intended audience: from technical managers to senior executives. (And, although it is clearly not intended as a technical manual, it is nonetheless accurate from a technical perspective, as one would expect from an author of Schneier's stature.)
I've worked as a corporate security manager and IT director for 20+ years, and I have often wished for a book that would bridge the gap between the typical high-level board presentation and the technical nitty-gritty. Unfortunately, too, the point that many technical folks fail to grasp is that security is NOT primarily a technical problem -- it involves decisions that are fundamental to the working of the organization. _Secrets and Lies_ is, IMHO, just what the doctor ordered.
Yes, Bruce Schneier is human, and puts in a plug for what he's doing at the end of the book. But there is lots of value in this book.
Highly recommended.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


12 of 13 people found the following review helpful
5.0 out of 5 stars Multi-disciplinary look at security, November 8, 2001
By 
Bruce Schneier covers the entire landscape of information security with this book. He balances technical and psychological aspects of security, and does so in clear prose that does not talk down to security professionals, while explaining the details to lay persons.
As a competitive intelligence specialist who is only peripherally concerned with the technical underpinnings of security I gained much from this book. Among the valuable insights are: a thorough look inside the minds of attackers and spies (state- and corporate-sponsored), an array of threats that I had not previously considered, and the motives behind attacks that are as likely to be oblique as that are to be frontal assaults. Further, I learned a lot about my own profession, especially since my job is "white-ops" (obtaining publicly available information on competitors using strictly legal means).
What I really like about this book is the clear explanations of cryptography and security infrastructure. Mr. Schneier has a talent for clearly explaining complex topics so that people like myself who have no technical background can easily understand them. Because my job is closely related to mainstream information security this alone made the book worthwhile.
I recommend this book highly to technical practitioners as well as fellow competitive intelligence specialists. Both groups will gain a broader understanding of information security from this informative, easy-to-read book.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


18 of 21 people found the following review helpful
3.0 out of 5 stars Why Digital Security Isn't!, February 23, 2002
By A Customer
Bruce Schneier has an M.S. in Computer Science from American University and a B.S. in Physics from the University of Rochester but he is self-educated in the areas of computer security and cryptography. An acknowledged expert in the field of cryptography, he has written eight books and dozens of articles on topics as wide ranging as techniques for securing installations of the MacOS to the detailed specifications of an encryption algorithm. He used to be president of Counterpane Systems, which was a consulting firm specializing in cryptography and computer security. He is now Chief Technical Officer of Counterpane Internet Security, Inc., a company he co-founded, which provides world wide real-time security monitoring services.
Secrets & Lies is an attempt at writing a book to provide everything you wanted to know about cryptography, computer hacking, and the security issues of computers and computer networks. The book is written in three main sections. The first concentrates on the modern electronic environment and the threats to security and commerce that exist within it, and how these weaknesses and threats compare to the more traditional security threats that have existed for years. The second section deals with the main categories of technologies that exist to secure computers and computer networks, and with the weaknesses of each of the types of security. The third section deals with how to develop a threat model, how to analyze a system for security vulnerabilities, and the future of data network security.
Secrets & Lies contains a lot of information arranged as a broad overview of information technology security. It is not, by any stretch of the imagination, a technician's handbook for securing a server or network. The system administrator or network operator may find some of the sections, such as how to analyze a system for security vulnerabilities, very useful but will not find a lot of answers on how to secure their particular network or system.
The main points that the author is attempting to impart can be discovered fairly quickly are that security is a process and not a product, security should be layered like an onion, security is like a chain in that it is only as strong as it's weakest link, and finally that security should be applied to the entire system and not just individual pieces. Yes, the book does read as if a computer security consultant wrote it, which is exactly what the author has been doing for a good part of his life. Having said that, the book is very readable and would be understandable to most business people, whether a person is an IT professional or a financial department manager. If new to the IT field or IT security a person would benefit greatly from this book.
Another theme of the author's, though it is only mentioned once, is the idea that computer security rests on the three pillars of integrity, availability, and confidentiality. Though much of the book is admittedly written with the goal of explaining how each of these "pillars" can or can't be accomplished, a disservice is done by not mentioning these principles earlier and providing them a higher level of importance. The technologies, the threats, and the weaknesses of the technologies receive the limelight in this book but the big "so what" is why the technologies even exist. The "why" is explained by the three pillars and though they are a conceptual idea it is important that the reader understand their importance prior to getting distracted by 128 bit encryption which is, after all, only a means to an end.
The IT professional; however, may find the book overly long and wordy. To make the different technologies understandable to almost anyone the author made free and extensive use of analogies that can at times be quite lengthy and simplistic. The analogies do accomplish the goal of clearly explaining the underlying principles, operation, and problems in several areas such as PKI and certificates but the IT professional who already is familiar with the topic will cringe at some of the simplistic explanations.
This is a good one over the world familiarization book on digital security. IT professionals should read this book, though they might want to consider skipping the first six chapters. The first six chapters are; however, an excellent primer for managers who are unfamiliar with data network security and the huge challenge posed by securing information systems and networks.
PJZ
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


12 of 13 people found the following review helpful
5.0 out of 5 stars Protect, Detect, Respond, November 7, 2001
Verified Purchase(What's this?)
I really enjoyed Bruce's "Applied Cryptography", so I looked forward to reading what Bruce has learned from his computer security consulting company. Bruce explains that when he wrote Applied Cryptography he thought all that was necessary for foolproof computer security was great technology. But as he tried to help companies implement network security, he learned first-hand that a system is composed of people and computers, and it is only as strong as its weakest link.
With many (often colorful) examples of security failings, he illustrates very clearly the need for a three part strategy. You must first protect your system from obvious/easy attacks, then you must provide a means to defect incursions into your system, and finally you must have response mechanisms to deal with incursions.
A must-read for anyone working in software today.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


8 of 8 people found the following review helpful
5.0 out of 5 stars The only holistic view of digital security in print, January 3, 2001
In Secrets and Lies Mr. Schneier weaves an exquisite tapestry that depicts every facet of digital security in detail and depth. The thread from which this tapestry is woven is excellent writing that is informative, entertaining and sardonic.
This book is a holistic view of security from every angle. His cogent analysis of threats, attacks and adversaries and their motivations goes deep into social and pyschological aspects of those who would breach our systems. Both blantant and subtle threats are examined in a straightforward and informative manner. Types of attacks are given the same thorough treatment. Everyone from pimple-faced hackers and wannabes, to criminals, infowarriors and government organs are profiled in a consistent manner.
Mr. Schneier's treatment of threats, attacks and adversaries shows an aspect of security that is often overlooked by the technical practitioner. This set of subjects could have been a book in itself - and a best seller at that. The main value, though, is this section of the book will enlighten the "in-the-weeds" technical specialists about a much wider set of issues associated with digital security.
The treatment of technology shows that the author not only deeply understands risks and the human side of security, but is also a master of the technical underpinnings. Every major technical facet of the security business is explained in a clear manner. One of the book's strengths is that it delivers clear explainations of complex techical topics in such a way that non-technical people can easily understand. As such it gives an understanding of security to those who most need it - key decision makers and executive management.
As someone who works in the field of e-commerce security I strongly recommend that my technical peers, clients and executive management read this book. Read it twice, in fact - read it the first time to gain an appreciation for just how complex the practice of digital security really is, and the second time to catch the plethora of sage advice and subtle hints that the author has sprinkled through this excellent book.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


‹ Previous | 1 215 | Next ›
Most Helpful First | Newest First

Details

Secrets and Lies: Digital Security in a Networked World
Secrets and Lies: Digital Security in a Networked World by Bruce Schneier (Paperback - January 30, 2004)
$17.95 $14.46
In Stock
Add to cart Add to wishlist
Search these reviews only
Send us feedback How can we make Amazon Customer Reviews better for you? Let us know here.