Feeds

Beyond Fear A security primer for troubled minds

Bruce Schneier raises awareness without resorting to hype

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Book review It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.

The book clearly defines the essential concepts and basic practices behind security in all areas of life. Indeed, computers and networks hardly come up. It's the universal principles that Schneier is concerned with here, and he illustrates them with numerous everyday examples from the airport to the ATM to the local supermarket.

The author writes a good deal about the limitations of security protocols, and the trade-offs between good security and other desirable things. It is not unusual for security practices to cause more trouble than they're worth, he frequently points out. He talks about how security systems fail, and why, and how to anticipate and mitigate failure, though again, in general terms with plenty of everyday illustrations.

He does a particularly good job of helping readers assess risks, and shows how we all tend to exaggerate them, especially when we don't fully understand them. And he brings the media to task for exaggerating odd events. The media love the unusual, and always give sensational stories a great deal of play. Unfortunately, the man in the street ends up with a lopsided understanding of risk, as he naturally associates the amount of media attention with a story's significance.

Schneier also does a good job of separating and defining concepts and jargonish phrases that are often used interchangeably. He breaks things down so that, for example, the popular trio identification, authentication, and authorization are explained distinctly. Not only do they need to be understood separately, they also need to be implemented separately, he points out.

Occasionally, the author forgets that his reader may be a novice, and uses jargon without enough care. For example, after correctly defining the difference between threat and risk on page 20 (i.e., a threat is a bad thing that can happen; a risk is the relative likelihood that a bad thing will happen), he later uses them interchangeably.

For example, on page 130 he writes about the trade offs in allowing government to keep security information from the public: "What are the risks to those assets? Terrorism: specifically, the risk is that terrorists will use information to launch terrorist attacks more easily, or more effectively," he says. I do think he meant threat, not risk.

Later on page 130 he writes about vulnerability disclosure: "The risk, of course, is that attackers learn about the vulnerabilities and exploit them." Again, it looks to me like he's talking about the thing that can happen, not the likelihood that it might. Of course he could really mean risk, but his phrasing gives false scent to the reader. I don't think the author is confused about this, but some readers might be.

In chapter 9 he talks about the concepts fail safe and fail secure. I've read the section several times, and I'm still not sure what he thinks the difference actually is.

So, occasionally, Schneier forgets his novice reader and uses jargon without as much care and consistency as he could. And there is an irritating mannerism, in which he uses the feminine personal pronoun in place of the indefinite pronoun, that gradually wore on my nerves. But on balance, Beyond Fear is a well-written volume that will explain the black art of security to anyone who finds the subject intriguing. It's easy enough reading for the novice, yet it contains plenty of smart observations for the advanced reader and even the security professional. I recommend it strongly. ®

ISBN 0-387-02620-7
Copernicus Books
Hardcover - 296 pages
Sep 2003 - $25.00

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.