Secrets and Lies (Bruce Schneier)

I'm starting a new category here on multipart/mixed for books I'm reading or have completed recently. Hopefully these mini-reviews will give you some ideas for your own reading. (Plus, I make some Amazon Bucks if you buy from my links.)

There's hardly a better book to start with than Secrets and Lies. I'm currently working on security technologies at my day job, and this was a great book to start with for "the big picture." Schneier is a recognized expert in the field of computer security, and this book is his overview of the field.

Secrets and Lies makes good reading for engineers and managers in the technology field, but it's also good fodder for anyone interested in the broader field of security. One recurrent theme is that many of the modern-day computer exploits are as old as crime itself; computer fraud is just fraud in a new format. Thus even the police officer curious about computers will likely take interest in this book.

The technical discussions aren't deep enough that you need to be a software nerd to understand them, but understanding the context (e.g. a little about how networks work) will certainly help in fully appreciating what Schneier is talking about. I look at Secrets and Lies as setting the stage for more detailed study, such as Practical Cryptography.

If you're in the technology field, you should be aware of security issues even if you're not working on security products. Products of any type can turn into security holes -- witness Microsoft Word and its macro viruses. Secrets and Lies is an engaging read and I promise it'll give you some valuable food for thought.


The only Schneier book that I own is Applied Cryptography. It's a great tool for the bookshelf. It's interesting to see how, in the last decade, Schneier has moved from cryptography in particulay to computer security in general to security in general. The lessons that he has learned as an expert in the field have brought him to realize that computer security is a very broad ranging subject and that too many engineers expect to be able to apply a product or algorithm to a problem and solely thereby expect the problem to be solved. My favorite, oft repeated quote by him is, "Security is a process, not a product." I highly recommend his monthly blog compilation called The Cryptogram.

Very true on all counts. FWIW I started reading Beyond Fear, which goes beyond computer security to security in general, but it isn't nearly as engaging as Secrets and Lies.

Post a comment