Slashdot Mirror
The Myths of Security
brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review.
The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
author
John Viega
pages
260
publisher
O'Reilly Media
rating
8
reviewer
Ben Rothke
ISBN
978-0596523022
summary
A contrarian provides an interesting look at the information security industry
The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.
Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.
From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.
The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.
While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.
In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.
Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.
Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.
Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.
While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.
Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .
You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.
Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.
From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.
The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.
While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.
In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.
Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.
Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.
Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.
While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.
Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .
You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.
There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...
Security does not actually protect you, it delays others. If you don't implement enough delays to allow yourself to find out you're being attacked and to act accordingly, it's all useless.
"Common sense will be the death of us all"
Lots of friends and family - people who are otherwise thoughtful, intelligent, and clueful - simply don't think about security. That will always be the weak link. You can't "design around" the casual negligence of hundreds of millions of users.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Security is only one of many issues that could be vastly improved if people cared more than they currently do.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
See, I have no security. Anyone can access my data. Folks come across the data and think, "There's no security. This can't be real!" I throw in some names like "Dick Hertz, Harry P. Ness, Mike Hunt, Haywood Jablowme, etc..." and the data thieves think it's bogus.
I call it "Security through rudenss."
If the book can be summarized in those last three sentences is it really worth the read? I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.
mmmm...forbidden donut
While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.
Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!
It is a great failing in our industry that its viewed as a problem that "most don't think about security".
Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.
EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.
Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.
Test your net with Netalyzr
Ben, Thanks for the positive review. I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection). But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old. John
If it raises the cost of hurting you to higher than the adversary is willing to spend, it protects you.
The trick is knowing how much security is worth paying for.
If the adversary is willing to spend $1000 to attack you, and you have to spend $100 a month to raise the cost of an attack to $1001, and if a successful attack will cost you $1 and the number of successful attacks will be 1 per decade because face it, you don't have much to offer, then it's not cost-effective. On the other hand, if an adversary is willing to spend the same $1000 and it will cost you the same $100 a month to make yourself too expensive to attack, but each breach will cost you $500 and there will be about 1 breach per month if you don't invest, then suddenly things look different.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Actually, during the last Access-all-areas held in London I brought along a Samsonite briefcase with a digital lock.
Someone spent the ENTIRE weekend trying to open the lock and didn't manage, which was due to a bit of evil from my side. The lock has 4 digits, so I entered a code and opened/closed it - he tried everything from 0000 to 9999 and didn't manage.
The reason was me pretending to press keys. That case had a cute feature: you didn't have to use all 4 digits, so the actual combination was just "9" with me pretending to hit other buttons :-)
Ah, those where the days..
PS: that lock had a major weakness anyway so I didn't use it long - it was just amusing..
Insert
Someone spent the ENTIRE weekend trying to open the lock and didn't manage
I knew security geeks were people with high boredom thresholds but this takes the biscuit.
Yours Sincerely, Michael.
How many books have this stupid subtitle?
It must work...
Well I have read the book and the much funnier "Secrets and Lies" AC about 3 times and Secrets and Lies more. First AC is in the nature of a scholarly review book and introduction to mathematical and procedural cryptography. It says nothing DEFINATIVE about particular ciphers but DOES make the point that all cryptography depend on mathematically difficult problems that Mathematicians have an annoying problem of simplyfing, and this is the nature of the MD5 and SHA1 attacks, and the advice to "walk not run to the exits". Rijndael aka AES is much better than 3 x DES and the new hash will be better than the SHA family.
This stuff is not snake oil, but you need to understand it at a mathematical and process level to get good results and you need to test, see the Debian SSL fiasco.
So, for example SHA1 is more than fine for all practical purposes in the version control system 'git' where only accidental collisions are concerning. For all the security bruhaha about SHA1 no one can tell you how to forge the message that you would like to send with a given known SHA1. Most people will notice if they see a message "send a cammel ein milliarde swietzerish franken to the First Crooked Bank of Nigeria" (deliberate errors). So unless you can fix the SHA1 with spaces and <CR> <LF>, in small numbers, and you can not you are SOL.
And any valid process encrypts both the message plain-text AND the hash, and to be useful the HASH better depend on the senders private key and be de-cryptable by their published keys (fingerprint freely available) eg
sig. omb GPG Key ID: 0xy0481D676FBC700y, old PGP Key Id: 0xy97186Ay
Finally, the idiot pols in the USA and UK could do just one thing useful, issue everyone a high grade X509 cert for free and sign the Social Security or NHS number using the private key.
This looks, at first case badly flawed, since all private keys are known and held by government whereby they can be mis-used or lost.
I leave it as a simple, excercise to the reader to turn this into a very cheap, foolproof security system which absolutely stops identity theft.