Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beautiful Security

Posted by samzenpus on from the read-all-about-it dept.

brothke writes "Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The book's 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security." Keep reading for the rest of Ben's review. Beautiful Security: Leading Security Experts Explain How They Think author Andy Oram and John Viega pages 300 publisher O'Reilly Media rating 9/10 reviewer Ben Rothke ISBN 978-0596527488 summary An eye-opening book that will challenge you A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.

Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.

The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.

Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.

Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.

Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.

Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.

Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.

In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.

For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Beautiful Security: Leading Security Experts Explain How They Think from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

81 comments

  1. 8==C=O=C=K==S=L=A=P==D ~~-_ by Anonymous Coward · · Score: -1, Troll

    pwned.

  2. Thinking outside the box by Anonymous Coward · · Score: 0

    "They think outside of the box which the security people built to keep them out."

    OK so the security people got them were they want them... they should get worried once they start thinking _inside_ the box.

    1. Re:Thinking outside the box by mcgrew · · Score: 1, Redundant

      I was about to get modded "redundant" because I almost posted the exact same comment. I wish people would understand what a phrase meant before trying to use it constructively, because if you don't understand a word or phrase, you will miscommunicate.

      "Thinking outside the box" means thinking beyond marketing -- thinking about how the customer will use the product once the box is in the landfill.

      The use of the phrase in the summary is a great example of not having a clue.

      --
      Free Martian Whores!
    2. Re:Thinking outside the box by theheadlessrabbit · · Score: 4, Insightful

      I wish people would understand what a phrase meant before trying to use it constructively..."Thinking outside the box" means thinking beyond marketing -- thinking about how the customer will use the product once the box is in the landfill. The use of the phrase in the summary is a great example of not having a clue.

      the phrase "think outside the box" may have meant that at one time, but its meaning has evolved since then. Now, when people say 'think outside the box' they mean "take an unconventional approach to problem solving". 'The box' is no longer referring to 'a box' that a product comes in. 'The box' is a metaphor for 'the class room', 'the board room', or 'the established paradigm'

      words change meaning with time. this is not a bad thing.

      --
      -I only code in BASIC.-
    3. Re:Thinking outside the box by stevied · · Score: 1

      AFAIK, the meaning of "box" in that expression is much more general, see:

      http://en.wikipedia.org/wiki/Thinking_outside_the_box

    4. Re:Thinking outside the box by cinderblock · · Score: 1

      This is why I always think outside the dodecahedron. :-p

      Now that you have seen the trick, you can use it everywhere too!

  3. Additional recommended reading by betterunixthanunix · · Score: 1, Informative

    Security Engineering: A Guide to Building Distributed Systems by Ross Anderson. It is actually an enjoyable textbook to read, and Anderson provides many insights into security that are easy to overlook, miss, or are highly counter-intuitive.

    --
    Palm trees and 8
    1. Re:Additional recommended reading by karlconnors · · Score: 1

      Make sure you read the second, updated edition.

      Even better than the first edition.

    2. Re:Additional recommended reading by betterunixthanunix · · Score: 1

      I agree, although the first addition is free (in all sense of the term) on Anderson's website.

      --
      Palm trees and 8
    3. Re:Additional recommended reading by betterunixthanunix · · Score: 1

      s/addition/edition/

      --
      Palm trees and 8
    4. Re:Additional recommended reading by unfasten · · Score: 1

      For those interested: http://www.cl.cam.ac.uk/~rja14/book.html
      And a link straight to the book: http://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf

      Quote from the author:

      My goal in making the first edition freely available five years after publication was twofold. First, I wanted to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I think that many publishers (especially of music and software) are too defensive of copyright. (My colleague David MacKay found that putting his book on coding theory online actually helped its sales. Book publishers are getting the message faster than the music or software folks.) I expect to put the whole second edition online too in a few years.

      I have a hard copy of this, and while I've only read a select few chapters I have to say I enjoy the book. Definitely recommended to anyone who has a interest in any kind of security, be it information security or anything all the way upto securing a nuclear missile.

  4. Interesting that they use a cactus on the cover by Anonymous Coward · · Score: -1, Troll

    Because a cactus has a backdoor. An animal can come up from below, exploiting a stack overflow through the roots to get to the plant's meat.

    1. Re:Interesting that they use a cactus on the cover by Anonymous Coward · · Score: 0

      Because a cactus has a backdoor. An animal can come up from below, exploiting a stack overflow through the roots to get to the plant's meat.

      I see you've been camping in the southwest with Sarah Jessica Parker.

    2. Re:Interesting that they use a cactus on the cover by Anonymous Coward · · Score: 0

      I see you've been camping in the southwest with Sarah Jessica Parker.

      I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?

    3. Re:Interesting that they use a cactus on the cover by Anonymous Coward · · Score: 0

      I see you've been camping in the southwest with Sarah Jessica Parker.

      I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?

      Just think outside the box. Not very far outside it, I might add.

    4. Re:Interesting that they use a cactus on the cover by Anonymous Coward · · Score: 0

      I see you've been camping in the southwest with Sarah Jessica Parker.

      I've done a couple google searches to try and figure out WTH you're talking about, but I'm stumped. Care to clue us in to your reference?

      Here's a hint: "human" is the last word you could use to classify her in a taxonomy of earthly species. Equine, anteater, cactus tunneler, anything is more accurate.

  5. Thnx by hurting+now · · Score: 2, Insightful

    While these essays are probably available in some form or another on the web, I'll be in for one of these books. Thank you for the review.

    As an Information Security professional, I look for books and other easy to read documentation that I can recommend to management and others who indicate an interest in (or need a push in the right direction) info security. Most of the time, if I e-mail them a link or story, it gets blown off. If I can put a document (screw paper saving) in their hands or a book with a chapter as "homework" I seem to get a better response.

    1. Re:Thnx by Coldmoon · · Score: 1

      The essays are exclusive to this book

      --
      Coldmoon over Dark water...
  6. Could be a good read by gubers33 · · Score: 1

    O'Reilly Media usually puts out pretty good books in the field of Information Sciences and I would be interested in reading the wireless networking chapter by Jim Stickley. I see an issue with the review, however an issue that makes me think the reviewer is incompetent. "Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks." I see an issue with this statement in large because it is not true. The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling. Most attackers find creative ways to get into systems because they taught themselves. they only have an objective and no process they have to follow. Many security professionals learned process of coding and of doing things and think they need to follow it. The professionals need to think like the attackers, in order to defend against them. It is like using a tiger team to test your network, they can fix your network the best cause they are thinking of ways to break into it first.

    --
    Just because you are wrong and I called you out on it doesn't mean I am a Troll.
    1. Re:Could be a good read by mungtor · · Score: 3, Insightful

      I don't think he was implying that security professionals are incapable of creativity. In most organizations security is considered an inconvenience, a budget drain, and an afterthought. Very rarely is an IT team staffed appropriately to allow the time and flexibility for anybody to try to think creatively about security. Even if they had the time, convincing people to spend money to prevent attacks that haven't happened yet is more difficult than it should be.

      Being pulled away from a firewall deployment because one of the many Finance printers is out of toner is a lot more common than one would think.

    2. Re:Could be a good read by karlconnors · · Score: 1

      >>>>The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling.

      Semantics no?
      Decent review, and reviewers observations seems correct.

    3. Re:Could be a good read by morgan_greywolf · · Score: 1

      The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling. Most attackers find creative ways to get into systems because they taught themselves. they only have an objective and no process they have to follow. Many security professionals learned process of coding and of doing things and think they need to follow it. The professionals need to think like the attackers, in order to defend against them. It is like using a tiger team to test your network, they can fix your network the best cause they are thinking of ways to break into it first.

      You hit the nail right on the head! It's like a war where one side is using traditional war tactics, and the other side are guerilla freedom fighters. The tendency of a large military organization is to see the war as a problem of engineering and management, whereas the guerilla freedom fighters are willing to do whatever it takes out think and thwart their enemy, and part of guerilla mindset is, "even though we're outmanned and outequipped, we can still win if we sit here and think of ways to beat our enemy."

      Security is like war: you have to out-think and out-manuever your opponent, even if your rag-tag army of freedom fighters is out-equipped and out-manned. All security analysts should be required to run The Art of War.

      --
      My blog
    4. Re:Could be a good read by DiegoBravo · · Score: 1

      A beautiful but missing chapter would be titled "Why security standards and certifications are mostly useless (even counterproductive.)".

    5. Re:Could be a good read by NES+HQ · · Score: 1
      You could really argue this point either way and the truth, like most things, lies somewhere in the middle. The argument is [obviously] subjective since there are no real metrics to base 'how effective' someone is. Instead these opinions are, in my experience, formed based on experiences. I run into a fair number of folks who think that certs are useless because they ran across someone who was heavily certified and their company/client was breached or they were flat our incompetent. On the other hand I've run into people who were hired for jobs on the basis of their resume/interview/papers - with no certs - and were terrible security professionals.

      As I noted above, the truth is somewhere in the middle. Certs prove that you have the dedication to actually get certified and, in some cases, the skill to go with it. Of course, InfoSec certs are no different than other IT-industry certs. Some are better than others and some prove different things than others. I'd argue that a GIAC cert proves more knowledge than something like a Security+ since the GIAC certs tend to require some critical thinking and application of concepts rather than (mostly) straight memorization.

      Security professionals are like other IT professionals in that it's often tougher to hire someone based on a resume. If, for instance, I'm interviewing two guys for CEO and one made his company $100 million and the other made his $10, I at least have a metric there. As for IT hiring, I prefer to use a defense-in-depth mindset in hiring. That is to say that your best bet is to check resume, references, certs, and probably give some kind of hands-on test.

      No, the certs aren't perfect, but they definitely help.

    6. Re:Could be a good read by Anonymous Coward · · Score: 0

      In most organizations security is considered an inconvenience, a budget drain, and an afterthought. Very rarely is an IT team staffed appropriately to allow the time and flexibility for anybody to try to think creatively about security. Even if they had the time, convincing people to spend money to prevent attacks that haven't happened yet is more difficult than it should be.

      Nailhead, meet hammer.

      You've got it entirely right. Security is seen as a money sink. Hell, it gets worse than that -- IT in general is seen as a cost center. I once worked at a place where they brought in some conslutant (though she _was_ cute) to run a course called "IT as a Service Organization"! They think we're just a bunch of janitors. No disrespect intended to janitors -- they're important, but the management attitude is that if we just tidied up our own offices, we could dump the janitorial staff. Except, of course, for the executive offices.

      Talk about no respect. If the entire law or accounting or executive divisions were to quit en masse, it would take time for it to hit the bottom line. If all of IT were to walk off, it would be seen in minutes. Yet we're constantly having our needs or recommendations met with skepticism, whereas the other divisions' similar needs are seen as routine.

      Ben Franklin said that a penny saved is a penny earned. These management fools are completely unable to see that money saved by realistic security is just as much the same as earnings.

      Hah -- captcha is "managers".

    7. Re:Could be a good read by Anonymous Coward · · Score: 0

      >>>>The problem is not the lack of time spent on creativity, it is a lack of creativity from schooling.

      Semantics no?

      No. He's talking about the lack in the industry. It may stem from a lack in schooling, but is a completely different context. Adults are expected not to be bound by the last thing they learned or failed to learn in school. They should be working to improve their knowledge and methods.

    8. Re:Could be a good read by DiegoBravo · · Score: 1

      The main drawback I see in current certifications and even full "security careers" is that they see the subject as a tool for approving audits. So the "professionals" end doing a lot of paperwork that helps the organization to comply with some kind of standards, but technically remains totally insecure. Sadly, that's my experience from the big companies I had opportunity to work into.

    9. Re:Could be a good read by karlconnors · · Score: 1

      The problem is that people see certs as an end-all, when they really are the beginning.

      Certifications are great, but one should use them as a stepping stone, not a retiring stone.

    10. Re:Could be a good read by NES+HQ · · Score: 1
      I would definitely, definitely agree with that statement.

      How could we possibly be at fault for this problem? We hired a [Insert security cert here]-certified professional so I can't fathom how this could be our fault.

    11. Re:Could be a good read by yhetti · · Score: 1

      You're forgetting another critical thing....a lot of security is Cover Your Ass work, and nothing more. If you think too creatively, it means you've moved outside the scope of "best practices." Best Practices are what will Cover Your Ass when something goes wrong and you end up in court because 10k credit card numbers are in the open. Judges and managers don't want to hear that you found a totally awesome way to secure SQL server transactions by using fiberchannel instead of regular ethernet. They just want to know that you did what everybody else does, by buying brand-name firewalls, turning them on, and not changing anything.

      Security is an artform only to people who have the glorious laxity of no legal responsibility. I work at a HIPAA compliant facility; if we lose a bunch of patient data, the federal government wants to know what industry standards we were following, regardless of if they make sense. If we have some weird security paradigm that's fantastic, but doesn't involve the word "Cisco", we might well be in trouble. Because, after all, why have industry standards if they aren't good?

  7. Andy Oram also edited... by tcopeland · · Score: 2, Insightful

    ...the book Beautiful Code which was a collection of essays about, well, beautiful code. The chapter "Another Level of Indirection" by Diomidis Spinellis was one of my favorites. There were some misses in there, but overall definitely worth a look.

    Another thing - all the author royalties for Beautiful Code were donated to Amnesty International. Not sure if Beautiful Security is the same way, but, neat idea.

    --
    The Army reading list
    1. Re:Andy Oram also edited... by SilentGhost · · Score: 1

      Neat idea that needs to be advertised! Not every one enjoys being tricked into support of charities. I, for one, think that Beautiful Code was very poorly edited/organised and written. The only real ideas about beautiful code were Matsumoto's. And they certainly don't warrant either spending money on a book, nor supporting AI.

      --
      root of all...
    2. Re:Andy Oram also edited... by Coldmoon · · Score: 1

      All royalties are donated to the Internet Engineering Task Force (IETF)

      --
      Coldmoon over Dark water...
    3. Re:Andy Oram also edited... by Anonymous Coward · · Score: 0

      Neat idea that needs to be advertised! Not every one enjoys being tricked into support of charities.

      Once you pay money for something, you don't get to vote how they use that money. There was no trickery involved.

    4. Re:Andy Oram also edited... by Danse · · Score: 1

      Neat idea that needs to be advertised! Not every one enjoys being tricked into support of charities.

      How is it really any of your business what the authors/publishers do with the money they make? If they want to make it public, fine, but they're certainly not remotely obligated to. Do you demand to know what the charities a car dealer gives to before you buy a car from them? What about the other companies or individuals you purchase things from?

      --
      It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
    5. Re:Andy Oram also edited... by Anonymous Coward · · Score: 0

      There are only two types of people who disapprove of Amnesty International:

      1. Supporters of repressive regimes
      2. People who don't understand that the reason it used to criticize Israel and not the PLO was because at the time the PLO wasn't a sovereign state, and so its activities were those of a non-state actor - and AI has nothing to do with non-state actors.

      In case you were wondering, Cheney Republicans fall into the first category.

    6. Re:Andy Oram also edited... by Tony-A · · Score: 1

      When a book or charitable affair is advertised as being for a charitable purpose, then it is my business to know what the arrangement is. And there is a big difference between profits and proceeds.
      If a car dealer provides a car that is raffled off to some charity, it does matter if that charity is the car dealer's own pocket.

      One reason for that kind of arrangement is that it avoids messy arguments about who gets what percentage of the profits/proceeds -- as in who gets more than whom.

    7. Re:Andy Oram also edited... by Danse · · Score: 1

      However much they want to advertise it is certainly up to them. Not you. Apparently it wasn't advertised enough for you to know about it. It's not even comparable to raffling off a car. They're selling the book, not raffling them off. There's no deception here.

      --
      It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
  8. Want absolute security? by Anonymous Coward · · Score: -1, Flamebait

    Use Macs. There has yet to be a single virus, worm, or data loss due to a compromised Mac. If more businesses used OS X, which is virtually 100% secure, most of these security pundits would be out of work completely.

    1. Re:Want absolute security? by night_flyer · · Score: 1

      if the tables were turned and Apple was the "big dog" it would be the OS being hacked, not Windows. suggesting another OS is nothing more than security via obscurity cause hackers will go where they can do the most damage, Windows has the biggest market share, so they get the most hits... BeOS doesn't have any viruses either...

      --


      Thanks to file sharing, I purchase more CDs
      Thanks to the RIAA, I buy them used...
    2. Re:Want absolute security? by Polumna · · Score: 1

      I am puzzled and intrigued by your statements. In order to further my understanding of the world, could you please check all that apply:

      [ ] I am a troll.
      [ ] I am a humor writer.
      [ ] I do not understand the nature of security as it effects all computers and networks, and not only the laptop my mother bought me.
      [ ] I believe that a virtually 100% secure operating system requires security updates. (If so, for what?)
      [ ] I do not know what "argumentum ad ignorantiam" means.
      [ ] I believe that Apple is staffed by level 84 wizards with computers enchanted with "detect traps."

      Thank you for your participation. Your answers will be kept as anonymous as you desire.

    3. Re:Want absolute security? by cromar · · Score: 1

      While the parent is obviously wrong (not even trojans can work on OS X, wow!), I wonder if what you say isn't just a small bit biased too. I mean, I honestly do wonder. Obviously, OS X or Linux would have plenty of security problems, but I bet they would be less dangerous or meaningful than the vulnerabilities in Windows. I haven't been following that debate for a while, but IIRC OS X has had far fewer remote code execution exploits than Windows has... Anyway, maybe you or someone else will prove me wrong and enlighten this discussion a bit more.

    4. Re:Want absolute security? by mcgrew · · Score: 1

      I do not know what "argumentum ad ignorantiam" means.

      The only reason to use Latin is to be a show-off. The phrase "argument through ignorance" should suffice. It's been my observation that the use of jargon, dead languages, and foreign languages do NOT enhanse communication, and their only purpose is to show the audience how "smart" you are.

      Any time anyone does this, I get suspicious of their knowledge and/or credentials: what does he have to hide? I suspect that Mr. AC most likely does NOT understand security, but he does have a point - Windows' market share is a reason they are targeted, but it's only one of a number of reasons. If Apple had 90% market share you would indeed have more Apple viruses, but I don't believe there would be as many or that they would be as bad.

      --
      Free Martian Whores!
    5. Re:Want absolute security? by karlconnors · · Score: 1

      That is absolute nonsense.

      With zero empirical evidence.

    6. Re:Want absolute security? by DrgnDancer · · Score: 1

      Well in this case the reason for using Latin is probably "Because that's the proper name of the rhetorical device in question". For whatever reason, logical errors and rhetorical devices are mostly known by Latin names. If your primary exposure to rhetoric and logical fallacies was through a class in college (generally the case when people can give proper names to these devices), that's probably how you learned them. Though I know perfectly well that "Reductum ad Absurdum" means "reduction to absurdity", I always think of the logical device by the Latin name. It's how it was taught to me.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    7. Re:Want absolute security? by Polumna · · Score: 1

      For the record, there were other reasons to use Latin. First, it's what I remembered first. Second, undoubtedly resulting in the first, my girlfriend is taking an introduction to logic class this summer, and I've been perusing my old text book for nostalgia and interest. Last, I am an obnoxious linguistic prescriptivist and "argument through ignorance" doesn't (to my mind) cover the full breadth of the Latin term, eg. argument from personal incredulity or argument by lack of imagination.

      Also, I'm kind of a show off, and I like it when other people use the fancy phrases because I can always copy-paste-Google and probably end up learning something. If I'm just being a tool, my sincere apologies. :)

      As to your last paragraph, I agree completely with it, in its entirety.

    8. Re:Want absolute security? by mcgrew · · Score: 1

      Heh, I've been out of college for decades. I barely rememered it form my logic class, and had to hit wikipedia to be sure.

      --
      Free Martian Whores!
  9. I read that as... by Anonymous Coward · · Score: 2, Funny

    "A Beautiful Secretary."

    Imagine my disappointment.

    1. Re:I read that as... by tsalmark · · Score: 1

      Do a Google search for "A Beautiful Secretary", you will not be disappointed.

  10. Grammar Nazi Me by cromar · · Score: 2, Insightful

    This is all meant in the best spirit of camaraderie. To summarize is not the purpose of a book review. The purpose is to explain to the reader why they should (or should not) read the book. Furthermore, chapter summaries are almost always redundant. Write concisely. Good opening. Informative. Understandable. Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.

    Compare to the following reworking of your review. Basically, you have a short paragraph of content:

    Books that collect chapters from expert authors often fail to do more than present disjointed ideas. "Beautiful Security: Leading Security Experts Explain How They Think" is an exception: the book provides an interesting overview of security, risk and privacy and is comprised of 16 essays, each showing how fascinating information security can be. Each of the essays is written by an established security expert and is organized and well-argued. With chapters from industry luminaries such as Mark Cuphrey, Jim Routh, Randy Sabett, Anton Chuvakin and others, "Beautiful Security" is required reading. The book highlights the importance of security metrics, with author Elizabeth Nichols explaining why the security profession should change to more emulate the medical profession in that a system of vital signs and accepted metrics should be adopted. Author Benjamin Edelman reports a problem with the online supply chain, in that it does not have long-established practices to confirm legitimacy of vendors. This has created an avenue for fraud. He has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves, and provides details of these scams. In a welcome and long absent authoritative appearance by PGP creator Phil Zimmerman, as well as current PGP CTO Jon Callas, the pair highlight substantial inaccuracies in other writing on PGP, and provide insight into the history and use of cryptography, the PGP web of trust model, and recent enhancements to that model. The book details the need to get people, processes and technology to work together to make better security decisions. It also details emerging security topics relating to cloud computing, social networks, and the economics of security. For those that have an interest in information security, or those that are frustrated by it, "Beautiful Security" will be an entertaining yet challenging read.

    A better review would briefly explain why these ideas are important, giving the separate highlighted ideas their own paragraph or two. A good rule of thumb is to explain an idea rather than only present it; the explanation presents the idea in context so the reader will not only know what is in the book but know why they may want to read it.

    Cheers and good luck!

    1. Re:Grammar Nazi Me by maxume · · Score: 1

      You called the longest (by quite a bit) paragraph in your post a short paragraph.

      --
      Nerd rage is the funniest rage.
    2. Re:Grammar Nazi Me by DrgnDancer · · Score: 1

      In this case I think chapter summaries, or more properly "chapter reviews", are appropriate. The book is a collection of essays; each of which, in theory, stands on its own as well as being part of the collection. By reviewing a few standout pieces the reviewer gives us an idea of particularly strong or weak blocks within the overall work. Had the book been a simple textbook or cohesive narrative, or had the reviewer merely summarized the chapters in question, I would agree with your criticism. As it is I think the "mini-reviews" within the main review give useful information.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    3. Re:Grammar Nazi Me by cromar · · Score: 1

      Considering it's over two thirds shorter than the entire original review, I don't particularly see your point...

    4. Re:Grammar Nazi Me by cromar · · Score: 1

      To summarize is to report what's in a chapter or book. To review is to explain what's in a chapter or book. There's nothing wrong with talking about individual chapters, but a list like "Chapter 1 talks about this. Chapter 3 talks about this." is what tables of contents are for.

    5. Re:Grammar Nazi Me by karlconnors · · Score: 1

      Isn't it a stylistic issue?
      Some people do standard book reviews, chapter 1, chapter 2,chapter x.....
      Others write a more macro-approach to the book.
      Is one better?
      Matter of opinion.

    6. Re:Grammar Nazi Me by karlconnors · · Score: 1

      >>>Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.

      Beside a missing space, could not find any of the glaring spelling or grammar mistakes. Can you point them out?

    7. Re:Grammar Nazi Me by cromar · · Score: 1

      Anyone can tell you what's in a book. A good reviewer will explain why you may want to read it, which requires going deeper than saying "Chapter 1 explains this. Chapter 3 explains this. Etc." It's a stylistic issue whether one wants to mention individual chapters, sure, but it is usually unnecessary and doesn't add much to the review. A good review needs to put the information presented in context. Saying "Chapter X explains Y. This is important because of Z." gives both an explanation and the context to understand the importance of the topic. If we take a made-up book called "JSON Web Services," a good review is not going to only say "Chapter 1 explains JSON syntax. Chapter 2 explains different JSON frameworks, etc." A good review should look more like, we can even leave the chapters in since you like that :), "The book begins with an introduction to JSON syntax, then moves on to the differences between JSON frameworks in chapter 2. The overview of the frameworks is important because there are multiple implementations for various programming languages. Not all of them are created equally. If you are planning to create a JSON web service, the comparison chart listed in this chapter will be invaluable because it explains various differences such as speed, customization options, and license, etc." The review should start off with a brief explanation of web services, why they are becoming popular, JSON, why JSON may preferred over XML, etc. (5 sentences or so nothing huge.) In either style, you would not need to specifically mention chapter 1, because knowing that chapter 1 is entitled "JSON syntax" is pretty much useless information by itself. It is important to know what is in a book, but not really to know the titles of chapters. Knowing what's in chapters of note is important, but it's only half of a good review.

    8. Re:Grammar Nazi Me by karlconnors · · Score: 1

      It is style you refer to.

      What are the errors you claim to have found?

    9. Re:Grammar Nazi Me by Anonymous Coward · · Score: 0

      so what have u contributed to /. besides critiquing everthing?

    10. Re:Grammar Nazi Me by cromar · · Score: 1

      Oh leave me alone. I think I'm being pretty clear :) Style is the way you write - the words you use, sentence structure, etc. Good writing does more than simply tell you something, and it is entirely separate from style. Good writing puts information in context, targets its audience, and is more than an extended table of contents.

    11. Re:Grammar Nazi Me by cromar · · Score: 1

      Well, I wouldn't say I critique everything, AC, I always put in a good word when I see a well written review... I'm trying to help people write better. So sue me! And if I find a book to review, then god dammit maybe I will submit something (:

    12. Re:Grammar Nazi Me by cromar · · Score: 1

      Like I said, there weren't too many errors. IIRC, there were some missing letters in a few words (an/and) and some awkward grammar. Nothing major, but it tripped me up reading it anyway. I think I'm done proofing this text though!

    13. Re:Grammar Nazi Me by cromar · · Score: 1

      For the record, Ben Rothke's book (the one mentioned in the article) looks like it's well written for reading the preview. I'm not trying to dog on anyone. I really just want to see better book reviews on Slashdot.

    14. Re:Grammar Nazi Me by karlconnors · · Score: 1

      >>>>Oh leave me alone.

      you made the claim,I called you on it; now I have to leave you alone? Please play fair.

    15. Re:Grammar Nazi Me by karlconnors · · Score: 1

      You 'claimed' there are errors, but now suddenly can't find them?

      They be thare mate! :)

    16. Re:Grammar Nazi Me by karlconnors · · Score: 1

      >>>I really just want to see better book reviews on Slashdot.

      One could argue that is an oxymoron.

      This is /., not the NY Times book reviews.

    17. Re:Grammar Nazi Me by cromar · · Score: 1

      You challenge me, I explain myself, you dismiss my explanation and make your previous claim over. Not exactly a discussion!

    18. Re:Grammar Nazi Me by cromar · · Score: 1

      Obviously.

    19. Re:Grammar Nazi Me by karlconnors · · Score: 1

      I felt you did not explain yourself.

      I am still waiting for the specific 'errors'.

    20. Re:Grammar Nazi Me by karlconnors · · Score: 1

      Sorry...obviously what?

    21. Re:Grammar Nazi Me by cromar · · Score: 1

      Obviously this isn't the New York Times. I've devoted enough time to this. If you can't find the grammatical and spelling errors yourself, I suggest picking up a copy of Hodge's Harbrace Handbook or checking it out from your local library.

    22. Re:Grammar Nazi Me by karlconnors · · Score: 1

      Rather than a cat and mouse game here, can't you give me but two of the grammatical errors?

      Please! Please!!!

      You sez he made errers, but u refuze to tellus what they be.

    23. Re:Grammar Nazi Me by cromar · · Score: 1

      It's pretty easy to see that you don't actually care what they are.

    24. Re:Grammar Nazi Me by karlconnors · · Score: 1

      I DO CARE!!!

      That is why I am making my sixth request of you to please tell me.

    25. Re:Grammar Nazi Me by cromar · · Score: 1

      First paragraph: "each author brings their own unique insights" should be "each author brings his or her own unique insights."

      Fourth paragraph: "in defense to how security is often perceived" should be "in defense against how security is often perceived."

      Sixth paragraph: "online-advertising" should be "online advertising."

      Eighth paragraph: "Chapter 7 is about the PGP" should be "Chapter 7 is about PGP." In "web of trust model, and recent enhancements bring PGP's web of trust up to date" the comma should be removed and "bring" should be changed to "bringing."

      Tenth paragraph: "a fascinating an enjoyable read" should be "a fascinating and enjoyable read."

      Eleventh paragraph: In "It is a good book for those whose who think information security" the word "whose" should be removed.

      There you go :)

    26. Re:Grammar Nazi Me by karlconnors · · Score: 1

      At last.... thanks.

      >>>First paragraph: "each author brings their own unique insights" should be "each author brings his or her own unique insights."

      that is being picky.

      >>>Fourth paragraph: "in defense to how security is often perceived" should be "in defense against how security is often perceived."

      also picky.

      >>>>Sixth paragraph: "online-advertising" should be "online advertising."

      Picky

      >>>Eighth paragraph: "Chapter 7 is about the PGP" should be "Chapter 7 is about PGP."

      At last, a REAL error.

      >>>In "web of trust model, and recent enhancements bring PGP's web of trust up to date" the comma should be removed and "bring" should be changed to "bringing."

      Picky

      >>>Tenth paragraph: "a fascinating an enjoyable read" should be "a fascinating and enjoyable read."

      wow, a real mistake!

      >>>Eleventh paragraph: In "It is a good book for those whose who think information security" the word "whose" should be removed.

      Terrible error!

      >>>There you go :)

      thanks.

      Oh, one last thing, this is /.

      No one is that picky.

      But am glad we have people like you.

      Karl

    27. Re:Grammar Nazi Me by cromar · · Score: 1

      It's kind of funny because you are being picky about me saying there were a few spelling and grammar errors :) That wasn't my main point at all. Anyway, I guess you are alright. I had you on my foes list for a minute there XD

    28. Re:Grammar Nazi Me by karlconnors · · Score: 1

      All is forgiven!

  11. Must be just me by FreakyGreenLeaky · · Score: 1

    Maybe I'm too much of a man, or maybe I'm sex starved 'coz I'm married (if you're married, you know what I mean), but the title Beautiful Security made me think of something else entirely.

  12. Coretan Imtihan by imtihan · · Score: 1

    good book review

  13. Thank you! by Hurricane78 · · Score: 1

    Hey, thank you for that rework. I loathe these "tl;dr" ultra-long low-density /. "summaries". If I want to read a book, I go and read the original book. ^^

    We should follow what I heard is seen as good style in Japan: To keep your statements as short and precise as possible. Or, in other words,to talk efficiently and compact.

    I prefer reading the same sentence thrice to reading three sentences.

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.