"Security Engineering" Is Now Online

An anonymous reader writes "Ross Anderson, author of 'Security Engineering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)."

Slashdotted

And now it's offline.

Why isn't there a tarball of all the PDFs?

Re:Password Changing

[ari_j]

The possibility of brute force is not an argument for changing passwords frequently, unless you catch someone trying to brute force it and change it to one they've already tried. Brute force relies on the statistical likelihood of guessing the password before the reason you want access goes away. Changing the password every 90 days has no bearing on the likelihood of it being guessed in a certain amount of time, unless what you change it to has a probability of being guessed of less than what it was by virtue of the brute force method employed.

The best thing to do is to change your password anytime there is a good chance that someone who should not know it does know it. That includes an employee leaving, evidence of an unauthorized access that could have been attained by having the password (possibly discovered by brute force or by other methods), theft of the business card you wrote it down on, etc. But it does not include the mere possibility that someone could guess it - changing the password has no real bearing on their chances of guessing correctly, unless it was something insanely simple before and changed to something reasonable.

Re:Backwards System

[muellerr1]

I've got a friend who used to work for a small boutique publisher, and I can tell you that publishers are an author's best friend. Without them the author's works would go nowhere. Fine, change the business model to distribute freely online, but as far as increasing sales of books, those books have to fome from somewhere.

I just don't get the 'cut the middleman' mentality. What exactly do you think the publishers aren't contributing that the authors could do themselves? Are you expecting authors to employ and manage editors, designers, printers, pr and marketing people, advertisers, a nation-wide system of sales reps, sales managers, shipping companies, and so on? Or are you suggesting that these roles aren't necessary? That's the same thing as saying that books should only be digital from here on out. The attitide that the authors should 'just get a loan' to fund these activities is hogwash since the only people who could get a loan of that magnitude for an unpublished manuscript are already established authors, and even then it would be iffy. Then people suggest that authors should just publish online and screw printed materials, but for most applications like textbooks that doesn't really work for the consumer--wouldn't you rather just have a book than having to print it out yourself, which could easily cost as much in ink and paper as a bound book would, while being more irritating? Also, e-book technology still sucks. Besides, the author would still need to employ the editing, pr, marketing & advertising people anyway, because if you don't know about a book, why would you buy it? The fact is, people happily pay for advertising because the return on investment is huge.

Wouldn't it be great if there was a company that had the capital to invest like a bank, but also the expertise to cull the few good manuscripts from the staggering pile of crappy ones, then print and market and distribute these works? Wait, that would be a publisher.

I acknowledge that in some specific cases self-publishing directly to the internet might be a good business plan. But to suggest that we abandon dead trees in most cases misunderstands the market. You said it yourself, "...if they don't get it into print, it can't be used in a classroom setting." Sure, good chunks of fat could be trimmed from the publishing world, but name one industry where this isn't true? I just think that the 'middle man' is necessary to the process.

Sorry, OP. I realize that most of my rant doesn't even apply to your main points. I just don't think the middle man is all that useless in most cases.

Can we change the roles a bit?

[khasim]

I just don't get the 'cut the middleman' mentality. What exactly do you think the publishers aren't contributing that the authors could do themselves?

For me, the "cut the middleman" mentality is because the middleman is not serving my interests nor the author's.

I cannot buy the books I want because the middleman owns the book and refuses to publish it anymore.

I cannot buy the book from the author because the author doesn't have the rights to sell it to me.

How about the middleman actually behave like a middleman?

Sell me anything I want to buy that you have purchased the rights to. Otherwise, get out of the way of my dealing directly with the author. Don't try to increase your profits by constructing an artificial choke-point between the producer and the purchaser.

Re:Can we change the roles a bit?

The book wouldn't exist in the first place without the middleman. To say that they are not serving the author's interests is not true; the author had the choice not to sign the contract with the publisher. Contract negotiations are a give and take; the author both got something and had something taken away. Your interests are irrelevant to this business decision except as part of a potential market, and if the publisher thinks they can't make money in that potential market, they won't try. You may not like it, but it's the same business decisions that made the book available in the first place.

Re:Two questions

[RShizzle]

wget -r http://www.cl.cam.ac.uk/~rja14/book.html

Re:Backwards System

[spiffyman]

Your sentiment makes sense, but I have to agree with the GP. I think people miss some key points here:

1) The ethical (not legal - the contracts settle that) question up until this point has been whether the publishing company has a right to restrict distribution through other channels. It's not a hard case to make on the publishers' side: Until recently, there was little reason to expect that free distribution would make print sales go up, and the data on that remain unclear. So, as a publisher, why wouldn't you want to resist other distribution models?

2) If I read TFA properly, it appears that the text being distributed is the text that was edited, copy edited, etc. by Wiley. As far as I'm concerned, that gives Wiley just as much moral claim to the work as the author. People underestimate the amount of time and effort that goes into the editing process. Writers, by and large, are not good writers. So why should they always retain copyrights?

Disclaimer: I've edited for a newspaper in the past, and I'm currently an editor for an undergraduate journal, so I'm pretty obviously biased against authors-above-all types. Mod appropriately.

You got it. Change the circumstances.

[khasim]

#1. Putting the password in your wallet is taking a less secure process (written password) and encasing it in a more secure container (your wallet).

#2. Change the login process to lock out the account for 15 minutes after 3 failed login attempts. That way, less random passwords can be used (and easily remembered). As long as there is a real person monitoring the logs and watching for attacks so that action can be taken.

#3. If it is something that can be cracked off-line (secret message), store the really long password on a USB key or something. Then put that key in your wallet (#1).

A single approach is NOT sufficient for every scenario.

Re:Password Changing

[anum]

And...

5) Someone gets a copy of your password file (or SAM or wherever your hashed passwords are kept). If you change your passwords occasionally then they only have a limited time to run brute force methods against the file. Once you change your passwords you are safe again. Don't change your passwords and eventually they will own your entire organization. You won't even know it happened until it's too late. It's a less likely scenario these days but it is still a valid attack vector. Once that file gets out ONLY changing your passwords will help.

Re:Password Changing

"Oh, and what's so wrong with writing it down and putting the paper in your wallet? You keep your credit card in there. And i'm sure that you probably wouldn't want that stolen either."

If someone physically steals my credit card, I will know very quickly. If someone steals the number, I will know soon. In both cases, I have a reasonable, known response.

If someone steals my password from my wallet, I might not ever know, and what is my reasonable, known response?

That's Some Nice Namecalling

What an imbecilic troll.

Uh, thanks? Yeah, I love you to.

Look man, it's capitalism that drives the men to charge money for doing nothing. I'm not an idealist either way and enjoy many benefits from capitalism. It's just strange how much capitalism hurts academia. In intellectual property, publishing and copywriting everything. Literally everything.

Please argue with me next time instead of just calling names. Sheesh.

do you think an autocratic economic system would enhance the ability of authors to get their material accepted in the classroom?

Nope, not at all. Whatever gave you that idea? The drive for money (especially in a case like this) is one of the downfalls of capitalism. It's sad the author had to argue to get his book online. How many other authors must have the same ailments with a desire only to help people?!

I work in magazine publishing...

So that's where you learn to deal so smoothly with people you don't know? :-)

Your friend in Linux but enemy in publishing,

eldavojohn