Secrets and Lies: Nine Years Later


UPDATE: Just found out that most of the book was actually copyright 2000, even more impressive!

I just finished reading Secrets and Lies: Digital Security in a Networked World and wanted to write up some of my thoughts while it was still fresh in my mind.

The book was published in early 2004, hundreds of years ago in tech-time. However I was really surprised at just how pertinent it still is.

This book was written before Stuxnet, before the PRISM scandal…heck, the book was written BEFORE FACEBOOK, yet after reading Secrets and Lies I feel like Bruce Schneier saw them coming from a decade away. Like a Digital Nostradamus.

The Signs of the Social Networking Times

As if that weren’t enough, he’s still making headlines today. I can hardly make it a week without seeing something about this guy on reddit/hackernews/slashdot. (RIP Google Reader 2005 – 2013)

Anyway, enough fanboyism.

At 448 pages (heh, remember when books had pages?) there’s a lot of information. However, there were two major points that I got out of it.

1. “Nothing in cyberspace is new.”

Crime is old as law. Theft, money laundering, and child pornography are nothing new. Even modern day defenses are just digitized versions of moats and gates. If there isn’t more cybercrime, then it’s just because it isn’t fiscally worth it yet. Yet.

Sherlock HolmesThis point was really hit home for me as I had been adjacently “reading” through the complete stories of Sherlock Holmes.

The tales easily translated to the digital world:

    “The Adventure of the Blue Carbuncle” is rife with social engineering
    The Adventure of the Red-Headed League is a textbook case of “Spear Phishing”
    Mr. Holmes even cracks a case via cryptanalysis in The Adventure of the Dancing Men

However, there are three things that make “cybercrime” different.

Automation

Imagine a robber walking around a neighborhood checking for unlocked doors. The success rate and time between doors might make that sort of attempt impractical, but a similar easily-automatable task in the “digital world” is much more feasible. Especially once you start thinking about large botnets.

Action at a Distance

“If you were building a warehouse in Buffalo, you’d only have to worry about the set of criminals who would consider driving to Buffalo and breaking into your warehouse. Since on the Internet every computer is equidistant from every other computer, you have to worry about all the criminals in the world.”

Yikes.

Not only is your scope increased, but any deterrence by legal consequences are diminished by national borders. How relevant is US law to someone living in Nigeria, or Orciny?

Technique Propagation

It takes a highly skilled and specialized talent to write an efficient virus. Once published, however, it takes minimal effort for a “script kiddie” to utilize the fruits of that labor for their own nefarious deeds.

This comes up time and time again for broken digital rights management schemes and encryption methods as well.

“Only the first attacker has to be skilled; everyone else can use his software.”

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.

Knowing is Half the Battle

Knowing is Half the Battle

Now my perspective is much more bleak. :)

“Computer insecurity is inevitable. Technology can foil most of the casual attackers. Laws can deter, or at least prosecute, most criminals. But attacks will fall through the cracks. Networks will be hacked. Fraud will be committed. Money will be lost. People will die.”

PS: Yes, I realize the “irony” of posting about security from a wordpress blog.