Secrets and lies: digital security in a networked world [Books]
暂无分享,去创建一个
A the end of August, Emulex Corp., a Costa Mesa, Calif., manufacturer of fiber channel adapters and other networking products, was the victim of a scam that sent its Wall Street valuation plummeting. According to Federal prosecutors, a former employee of Internet Wire, the service Emulex used to distribute its press releases, happened to have sold some Emulex stock short. When the stock price went up instead of down, he faced a sizeable loss. He then, allegedly, used his inside knowledge of Internet Wire practices to submit a fake press release to the wire service, announcing bad news for Emulex investors. When Dow Jones and Bloomberg Business News picked up the story and ran it, Emulex’s stock prices dropped drastically. In Secrets and Lies, Bruce Schneier predicts that this type of fraud will become more and more common as systems grow more complex, operations grow less centralized, and impersonal electronic communication becomes the norm. Indeed, he says he wrote the book to “correct a mistake” in his earlier work, Applied Cryptography —a leading (maybe the leading) reference work for practicing security professionals. His mistake, Schneier now says, was to think that good cryptography could safeguard our secrets. What he had ignored, he subsequently realized, was that cryptography needs to be implemented in real-world systems, and real-world systems need much more than good cryptography to protect real-world secrets. Thus, cryptography was not at fault in the Internet Wire case. It appears, as Schneier would have expected, that what was crucial to the fraud’s success was knowledge of Internet Wire’s real-world procedures. For example, the press release was sent in late at night, when only a skeleton night shift was on duty. The e-mail message with which the release was submitted apparently included information that only an Emulex employee or agent was likely to have, persuading the Internet Wire staff to believe that no further confirmation was needed by the company. Schneier‘s new work has three parts. In the first, he assesses the nature and extent