快猫短视频

Security out of obscurity

Secrets and Lies by Bruce Schneier, John Wiley, 拢19.50, ISBN
0471253111

AN EXCEPTIONAL amount of disinformation plagues the world of information
security. For decades spies obstructed the 鈥減roliferation鈥 of cryptographic and
security know-how. This made their job of snooping far easier.

When in 1993 I tried to organise a research programme in computer security,
cryptography and coding theory, a spook in a suit approached the institute
involved. He told the director that 鈥淭here鈥檚 nothing interesting happening in
cryptography, and Her Majesty鈥檚 government would like this state of affairs to
continue.鈥 To his great credit, the director spilled the beans; the institute鈥檚
reaction guaranteed our funding.

As everything goes online, the issue of information security now concerns
everyone. And information security is about power, make no mistake: the power to
grant or deny access to a resource.

Now the public cares far more about the issues, and information technology is
empowering them. The PC lets people balance their bank accounts and verify that
the bank鈥檚 computer hasn鈥檛 accidentally added a point to the interest rate. The
contempt that many insurers and hospitals had for medical privacy became clear
as soon as they had to compete with GPs to control the electronic health record.
Government surveillance became a live issue once e-mail made it practical for
individuals to evade it.

Bruce Schneier鈥檚 Secrets and Lies attempts to explain these
conflicts and the underlying technologies to the general reader. The recent
debate in Britain over the Regulation of Investigatory Powers Bill showed the
need for explanations鈥攐r at the very least metaphors鈥攖hat could be
grasped by the general public.

Schneier has the right background. As well as scientific papers, he wrote
Applied Cryptography, which explains modern cryptography to the working
engineer鈥攁nd sold more than 100 000 copies. It portrayed cryptography as
the essential technology for protecting networked systems.

He then set up a security consultancy鈥攁nd discovered that the things
that go wrong with real systems usually have little to do with the mathematical
strength of encryption methods. People encrypt the wrong things, encrypt them
the wrong way or simply leave the back door open.

Worse, it is unrealistic to expect a company to spend a lot on security if
its customers bear the risks of fraud. The business ethos that impels companies
to contract their systems management to outsiders poses a greater threat than
any number of 鈥渆vil hackers on the Internet鈥.

In Secrets and Lies, the things that actually go wrong are explained
by lots of concrete examples, some stunning. Schneier illustrates the subtleties
of 鈥渇alse accept鈥 versus 鈥渇alse reject鈥 rates in intrusion-detection with a
trick the Mujahideen used in Afghanistan. They hurled rabbits over the fences of
Russian bases to set off the perimeter alarms. Once the Russians gave the alarm
system up for broken, the Mujahideen attacked. He adds phone frauds and fake
automated cash machines to his tales of classic commercial frauds, before
scrutinising the modern 鈥渆-variants鈥.

Schneier鈥檚 thesis is that human nature won鈥檛 change鈥攁nd that there鈥檚
not much new under the Sun. As he puts it, 鈥淭he future is like the past, except
with cooler special effects.鈥 This is reassuring: a legal system that worked in
the past is likely to work in the future. Much of the current policy panic is
unnecessary.

Secrets and Lies should begin to dispel the fog of deception and
special pleading around security, and it鈥檚 fun. It may even give people the
courage to think about protection mechanisms and policies at the system
level鈥攁nd then challenge organisations that claim some outrageous
imposition is necessary 鈥渇or security鈥.

More from 快猫短视频

Explore the latest news, articles and features