Book Review— Secrets and Lies
I’ve been skimming Bruce Schneier’s book, Secrets and Lies, and finding it a bit disappointing. He’s such a good, clear, thorough writer in his online column that the book represents a bit of a step down. It’s a basic primer in security, especially computer security. It’s still written in his smooth, readable style, but I’m confused by the level of detail. It doesn’t offer much new to someone like me, a computer person who more or less keeps up on computer security. It does offer a general overview on a lot of topics, but sometimes he seems to surf over the complexity instead of diving into it and explaining it, which makes me suspect that people who don’t already understand the details may not get them. I might be wrong - he covers a lot of basic topics better and shorter than I’ve seen anywhere else - but it kinda seems like sometimes he introduces a topic, decides he doesn’t want to dive into the necessary depth, and then glosses over it, all in the name of being thorough.
My other complaint is that he spends plenty of time talking about users and how they're easily fooled, but very little time talking about how security professionals have failed socially. The single biggest failing of institutional security I've seen is that security people (and network people) are often bullying jerks, and hence get ignored as soon as they're out of sight. If security people understood the day-to-day hassles of their proctectees, and were more often seen as allies and educators instead of unhelpful authorities with only negative powers, it seems like a lot of vulnerabilities would close up.