Secrets and Lies : Digital Security in a Networked World

And this book gave me some business inspiration. In the US, the collected individual information (database) is the property of collectors, not individuals. I'd better to collect database now. Few (no?) Internet-related regislation is available, so everything is OK. In the future, I can get money from that!? I have to follow the way DoubleClick does.

Rating:
Summary: An excellent primer for the rest of us
Review: One of the best books around for presenting a high-level, comprehensive look at the current state of computer security, and all the issues that need to be considered. Plus, it's an enjoyable read! It has something to offer most everyone in the enterprise, from the CEO to the techies.

What this book is *not* is a technical manual; it will not teach you specific hacker exploits or how to configure a firewall. In fact, there's little here that a seasoned security pro wouldn't already know. But that's not the purpose of the book. Its purpose is to educate the professional who is not a security expert yet who is impacted by attacks and vulnerabilities -- in other words, the rest of us.

Rating:
Summary: A Wakeup Call for Computer Security Professionals
Review: Bruce Schneier taught me the fundamentals of cryptography at a time when he thought that the use of ciphers and protocols was all that was needed to create safe and secure computer systems. (A little more DES over there, please).

Since that time (1995), as I have continued to work in the field of computer security, I have learned that crypto is only one element of a truly secure system, and that most system designers have not understood this critical point. Bruce's newest book, _Secrets and Lies_, shows that he has also learned this lesson, and he drives the point home in a clear, forceful, and engaging manner.

This book compares favorably to the other classical introduction to the issues of security, Dorothy Denning's _Information Warfare_.

Rating:
Summary: Expected better
Review: Have to go with the more critical reviews on this one. Schneier is capable of doing a great deal better. Give this book to your out-of-date boss so they have at least some grasp of what you're talking about. Then hope they will understand what you mean when you come to them trying to identify real solutions. But don't expect to find real solutions in this book.

Yeah, the world's a tough playground. In the mean time how do I protect my servers. I've been doing it now for many years, pretty much successfully, but a good system architect is always looking for new ideas. I didn't find any here. It does re-enforce a perception of the security industry in general - paranoia sells.

Rating:
Summary: Musings of information security.
Review: Schneier is just great, isn't he? He tells it how it is. And sometimes the truth just hurts. I don't agree with everything but for the most part he is just dead-on IMO.

This book isn't about specific software, this book isn't about specific algorithms. Its about thoughts and techniques. Issues to consider. Its thought provoking and its fascinating.

If you want specifics of certain technologies, recomendations on configurations, etc. then this book is not for you.

This book is for those people who really want to learn the ~thought~ and ~process~ behind security plans and implementation. Its thoughts and suggestions from one of the best in the industry. The book reminds me of those priceless 'from experience' gems you get from the best professors.

This is just a great book. -Ali

Rating:
Summary: Call Me Ishmael (or is it Bruce?)
Review: At last in computer security, we have our Melville. Written with great wisdom and understanding, Bruce Schneier lays out a plan for hunting down the great evils stalking Cyberspace. Unlike Captain Ahab though, he is a realist. He argues we can't protect against every threat; no one layer of "protection" will ever be sufficient. If a reader gets nothing more from the book that computer security requires defenses in-depth, then he or she will have spent their time and money wisely. In fact, I can't conceive of any educated person not benefiting from "Secrets & Lies." Computer security has become a concern for all of us. And, Bruce Schneier offers a very liberal education on the topic.

Rating:
Summary: Overrated book
Review: I sympathise with the opinions of many of the more critical reviewers. The book is for non-technical people. It does introduce a number of areas of importance to security professionals, but far too superficially. The depth of coverage is admittedly deeper than a newspaper or newsmagazine piece on the subject, but it's not much deeper. The style is a bit too sensational. The organisation of the book could do with an overhaul - the author tends to drift off into examples of dubious relevance. The book in general could do with a tighter and more stream-lined organisation.

The book isn't devoid of merit and people wishing to learn about the area could do worse than start here. For myself, I'm waiting for Ross Anderson's new book titled, "Security Engineering".

Rating:
Summary: Beware the Author's Motives
Review: Firstly, let me say I have a great deal of respect for Bruce Schneier. "Applied Cryptography" is a superb book. True to form, so is "Secrets and Lies". However, both books exist purely as a vehicle to advance the authors career. Isn't it interesting that when Schneier focused his business interests predominantly on cryptography-related consulting work that he was able to release two editions of "Applied Cryptography" in rapid succession? However, today when Bruce is now in the "managed security monitoring" business suddenly he can't find the time to update AC and instead produces "Secrets and Lies": a book that takes an unashamedly non-technical approach to giving a broad overview of the status of computer and information security. And guess what the overwhelming theme of the book is? "No system will ever be secure and all security will inevitably fail: you must take another approach." Of course this statement is true -- just not in the absolute, black and white sense that Schneier presents it. The purpose of this book is purely and simply to gently nudge and guide quasi-technical IT managers towards the obvious and overly-simplistic conclusion that since all security is doomed to failure, the approach that must be taken is to try to handle that failure when it occurs. Bruce's recommended solution: his managed network security business.

Of course this is all fair enough, albeit slightly underhanded, and "Secrets and Lies" is a highly readable, enjoyable and (mostly) technically accurate book. It's just not the book we need! What we need is a technical book, aimed at the same people who read and loved "Applied Cryptography", which shows how various security vulnerabilities come into being and thus how they can be minimised. Such a book would bring much more benefit to the world than "Secrets and Lies". And Bruce, while you're at it, please update "Applied Cryptography"!