I just finished reading Secrets and Lies. Probably, having worked in IT security for approaching 5 years, I should have read it sooner. I wasn't that impressed by the bulk of the content, though, as it is clearly aimed at a less technical audience (the Star Wars analogy is a rather feeble twig offered to the techies), and it offers mainly critisism and very little constructive advice. In fact, most of the book is about the inevitability of endless security problems that will never be prevented.

But at the end it was redeemed by Schneier admitting that he felt the same about it — he simply realised that there was no hope to offer. Essentially, the book it good at explaining why there are problems, bad at explaining any way of dealing with them, and therefore good at advocating the important and inevitable alternative:

• Software companies will need to accept liability — to some extent, yet to be determined — for faults in their products.
• Once there is liability, it will be dealt with as modern economies deal with all such risks: Schneier focuses on insurance, but industry codes of practice and external audit, even without the insurance driver, are powerful defences in court to say that due diligence was done to prevent faults.
• The importance of people watching people watching people — concious consideration of security at management levels (instead of treating it as one-off technical bugs), and expert, external auditing to gauge and minimise risks.

In this book Schneier is certainly in fear-uncertainty-and-doubt mode — and doing a better job as a self-publisist than a security advisor. But it's an excellently written book from the point of view of raising the problems with a non-technical audience, and I'm very glad to see such an influential book taking time for well written defences of important concepts like open source, full disclosure, and the value of anonymity. Essentially he is arguing that perfect security is hopeless: but we shouldn't worry about it, instead just balance the risks and ensure that no individual person or company bears too much risk on their own. Provided the credit card industry can cover the fraud out of set-asides from their transaction charges, who cares if credit card numbers are stolen occasionally?