Feeds

Beyond Fear A security primer for troubled minds

Bruce Schneier raises awareness without resorting to hype

  • alert
  • submit to reddit

Security for virtualized datacentres

Book review It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.

The book clearly defines the essential concepts and basic practices behind security in all areas of life. Indeed, computers and networks hardly come up. It's the universal principles that Schneier is concerned with here, and he illustrates them with numerous everyday examples from the airport to the ATM to the local supermarket.

The author writes a good deal about the limitations of security protocols, and the trade-offs between good security and other desirable things. It is not unusual for security practices to cause more trouble than they're worth, he frequently points out. He talks about how security systems fail, and why, and how to anticipate and mitigate failure, though again, in general terms with plenty of everyday illustrations.

He does a particularly good job of helping readers assess risks, and shows how we all tend to exaggerate them, especially when we don't fully understand them. And he brings the media to task for exaggerating odd events. The media love the unusual, and always give sensational stories a great deal of play. Unfortunately, the man in the street ends up with a lopsided understanding of risk, as he naturally associates the amount of media attention with a story's significance.

Schneier also does a good job of separating and defining concepts and jargonish phrases that are often used interchangeably. He breaks things down so that, for example, the popular trio identification, authentication, and authorization are explained distinctly. Not only do they need to be understood separately, they also need to be implemented separately, he points out.

Occasionally, the author forgets that his reader may be a novice, and uses jargon without enough care. For example, after correctly defining the difference between threat and risk on page 20 (i.e., a threat is a bad thing that can happen; a risk is the relative likelihood that a bad thing will happen), he later uses them interchangeably.

For example, on page 130 he writes about the trade offs in allowing government to keep security information from the public: "What are the risks to those assets? Terrorism: specifically, the risk is that terrorists will use information to launch terrorist attacks more easily, or more effectively," he says. I do think he meant threat, not risk.

Later on page 130 he writes about vulnerability disclosure: "The risk, of course, is that attackers learn about the vulnerabilities and exploit them." Again, it looks to me like he's talking about the thing that can happen, not the likelihood that it might. Of course he could really mean risk, but his phrasing gives false scent to the reader. I don't think the author is confused about this, but some readers might be.

In chapter 9 he talks about the concepts fail safe and fail secure. I've read the section several times, and I'm still not sure what he thinks the difference actually is.

So, occasionally, Schneier forgets his novice reader and uses jargon without as much care and consistency as he could. And there is an irritating mannerism, in which he uses the feminine personal pronoun in place of the indefinite pronoun, that gradually wore on my nerves. But on balance, Beyond Fear is a well-written volume that will explain the black art of security to anyone who finds the subject intriguing. It's easy enough reading for the novice, yet it contains plenty of smart observations for the advanced reader and even the security professional. I recommend it strongly. ®

ISBN 0-387-02620-7
Copernicus Books
Hardcover - 296 pages
Sep 2003 - $25.00

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.