Beyond the Codes

At the end of August, Emulex Corp., a Costa Mesa, Calif., manufacturer of fiber channel adapters and other networking products, was the victim of a scam that sent its Wall Street valuation plummeting. According to Federal prosecutors, a former employee of Internet Wire, the service Emulex used to distribute its press releases, happened to have sold some Emulex stock short.

When the stock price went up instead of down, he faced a sizeable loss. He then, allegedly, used his inside knowledge of Internet Wire practices to submit a fake press release to the wire service, announcing bad news for Emulex investors. When Dow Jones and Bloomberg Business News picked up the story and ran it, Emulex's stock prices dropped drastically.

In Secrets and Lies, Bruce Schneier predicts that this type of fraud will become more and more common as systems grow more complex, operations grow less centralized, and impersonal electronic communication becomes the norm. Indeed, he says he wrote the book to "correct a mistake" in his earlier work, Applied Cryptography --a leading (maybe the leading) reference work for practicing security professionals.

His mistake, Schneier now says, was to think that good cryptography could safeguard our secrets. What he had ignored, he subsequently realized, was that cryptography needs to be implemented in real-world systems, and real-world systems need much more than good cryptography to protect real-world secrets.

Thus, cryptography was not at fault in the Internet Wire case. It appears, as Schneier would have expected, that what was crucial to the fraud's success was knowledge of Internet Wire's real-world procedures. For example, the press release was sent in late at night, when only a skeleton night shift was on duty. The e-mail message with which the release was submitted apparently included information that only an Emulex employee or agent was likely to have, persuading the Internet Wire staff to believe that no further confirmation was needed by the company.

Schneier's new work has three parts. In the first, he assesses the nature and extent of the security threats we face today. The next part scrutinizes the technologies now and soon to be in place to deal with those threats. The final part looks at some specific threats and strategies to deal with them.

The first part is extremely effective. Schneier describes the extent to which our lives are dependent on digital systems, the range of corporate, personal, and other information available to anyone who can enter those systems, and finally, the frightening array of potential attackers ready to prey upon any weakness in those systems. While it is not the author's intention to scare his readers, ordinary citizens and e-commerce managers alike will get a rude awakening if they have been underestimating the security challenges that life in a networked environment entails.

"Technologies," the second part, takes up the bulk of the book. Here are discussions of cryptography, authentication, computer and network security, software reliability, and various security strategies from digital certificates to watermarking and from smart cards to virtual private networks. Schneier discusses equally those technologies that have been turned into real products, such as public-key cryptography, and those which have not as yet, such as steganography (the art of hiding information in plain view). This part of the book can be skimmed to get a sense of the overall range of concerns, strategies, and products, or as a reference work, to be revisited and read in detail when needed.

The third part, entitled "Strategies," contains useful discussions of various methods and methodologies of designing more secure systems. Especially interesting and potentially useful are the descriptions of attack trees and threat modeling, which last consists of looking at a system and imagining all possible attacks on it.

It is hard to say for whom the book is written, but there are two things to greatly like about it. The first is the way that difficult concepts are explicated, both with nontechnical explanations and with comparisons to everyday, often nontechnological, examples. The second is the range of actual security and secrecy examples drawn upon, not necessarily technologically sophisticated and not necessarily from recent history. A discussion of denial-of-service attacks includes mention of the problems that the online auction house eBay and other dot-coms had within the last year, while the burning of the Temple of Diana at Ephesus over 23 centuries ago is cited as a publicity attack, the arsonist having aspired to immortal fame for destroying one of the seven wonders of the ancient world.

One thing not to like, unfortunately, is the author's heavy-handed pitch for outsourced security management services--a business he recently entered with a startup company.

As best this reviewer can tell, Schneier's book seems to be intended for Internet and other network and e-commerce managers who need to concern themselves with technology-based security concerns. The book successfully drives home the message that entire systems need to be secure, that increasingly complex systems are increasingly insecure, and that the technology of security is the least of the matter. The beginning and end of the book are a quick and entertaining read, and the central section can serve as a useful reference work for managers and nonsecurity professionals.