Bruce Schneier - Secrets and Lies: Digital Security in a Networked World

Praise for Secrets and Lies

Successful companies embrace risk, and Schneier shows how to bring that thinking to the Internet.

Bruce shows that concern for security should not rest in the IT department alone, but also in the business office... Secrets and Lies is the breakthrough text weve been waiting for to tell both sides of the story.

Good security is good business. And security is not (just) a technical issue; its a people issue! Security expert Bruce Schneier tells you why and how. If you want to be successful, you should read this book before the competition does.

Setting himself apart, Schneier navigates rough terrain without being overly technical or sensationaltwo common pitfalls of writers who take on cybercrime and security. All this helps to explain Schneiers long-standing cult-hero status, evenindeed especiallyamong his esteemed hacker adversaries.

All in all, as a broad and readable security guide, Secrets and Lies should be near the top of the IT required-reading list.

Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and its fun.

This book should be, and can be, read by any business executive, no specialty in security required... At Walker Digital, we spent millions of dollars to understand what Bruce Schneier has deftly explained here.

Just as Applied Cryptography was the bible for cryptographers in the 90s, so Secrets and Lies will be the official bible for INFOSEC in the new millennium. I didnt think it was possible that a book on business security could make me laugh and smile, but Schneier has made this subject very enjoyable.

The news media offer examples of our chronic computer security woes on a near-daily basis, but until now there hasnt been a clear, comprehensive guide that puts the wide range of digital threats in context. The ultimate knowledgeable insider, Schneier not only provides definitions, explanations, stories, and strategies, but a measure of hope that we can get through it all.

In his newest book, Secrets and Lies:Digital Security in a Networked World, Schneier emphasizes the limitations of technology and offers managed security monitoring as the solution of the future.

Secrets and Lies

DIGITAL SECURITY IN A NETWORKED WORLD

Bruce Schneier

Wiley Publishing, Inc.

Publisher: Robert Ipsen

Editor: Carol Long

Managing Editor: Micheline Frederick

Associate New Media Editor: Brian Snapp

Text Design and Composition: North Market Street Graphics

Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where Wiley Publishing, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration.

Copyright 2000 by Bruce Schneier. All rights reserved. Chapter 1, Introduction, copyright 2004 by Bruce Schneier. All rights reserved.

Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, Email: permcoordinator@wiley.com.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in professional services. If professional advice or other expert assistance is required, the services of a competent professional person should be sought.

Library of Congress Cataloging-in-Publication Data:

Schneier, Bruce, 1963
Secrets and lies : digital security in a networked world / Bruce Schneier.
p. cm.
Wiley Computer Publishing.
ISBN 0-471-25311-1 (cloth : alk. paper) ISBN 0-471-45380-3 (paper : alk. paper)
1. Computer security. 2. Computer networksSecurity measures. I. Title.
QA76.9.A25 S352 2000
005.8dc21 00-042252

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

To Karen: DMASC

I have written this book partly to correct a mistake.

Seven years ago I wrote another book: Applied Cryptography. In it I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactionsunregulated gambling, undetectable authentication, anonymous cashsafely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.

Its just not true. Cryptography cant do any of that.

Its not that cryptography has gotten weaker since 1994, or that the things I described in that book are no longer true; its that cryptography doesnt exist in a vacuum.

Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.

Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible.

The error of Applied Cryptography is that I didnt talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty nave.

The result wasnt pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like 128-bit key and public-key infrastructure. A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography.

Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics were made irrelevant through bad programming, a lousy operating system, or someones bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments youll find throughout this book: Security is a chain; its only as secure as the weakest link. Security is a process, not a product.