"Security Engineering" Is Now Online

An anonymous reader writes "Ross Anderson, author of 'Security Engineering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)."

Backwards System

The publishers thought for years that it was too risky to let authors put books online but they are gradually learning that this isn't so. Putting a book online often increases its sales; more people read it and those who find it useful often go buy a copy.

Funny how that works with media, isn't it? Newspapers are free to read on-line. Do they blame lack of income on that? Hell no, they probably make more money on ads that didn't cost ink and paper to print!

If we were concerned about artists, you'd put all their music online--eliminating album profits to them and labels--and pay to see the live shows. That's where they make all their money anyway.

Poor tech authors often sign anything that's in front of them to get their books out. Which means they don't make squat on the sales plus the publisher hikes the price up so that they turn a good profit. Ever bought Duda, Hart & Stork's Pattern Classification [amazon.com]? Good luck, $100 for a six year old book!? Give me the black and white Asian release that's illegally sold on eBay for $10. Yet it remains a standard in the field.

You don't believe me that authors sign outrageous contracts? Well, this poor man had to beg to get his work online. Sounds like he didn't sign a contract that left him creative and absolute control over the distribution of this work.

Yet if they don't get it into print, it can't be used in a classroom setting. What a terrible system (hail capitalism). To all artists, authors and producers of media, please cut out the middle men that make it nearly impossible for me to afford your beautiful works and more or less cheat you out of money in a highway robbery-like scam.

Printed word was an amazing invention because it posed a method to mechanically copy texts and ideas and get them out to people. The internet allows you to do that for nearly free ... use it!

Re:Backwards System

Yet if they don't get it into print, it can't be used in a classroom setting.

Fortunately, this isn't always true! While taking my advanced operating systems course, we used Linux Device Drivers which is available online for free [xml.com]. This is also the case with my Programming Languages class where we learned and wrote an interpreter for Scheme. Then, in my computers and society class we used [scheme.com]ESR's writings [catb.org] and Stallman's biography [oreilly.com].

Maybe more topics could be covered in free format... Seems to me like Google is making life easier for some English courses [google.com] and MIT already has opencourseware up and running [mit.edu].

Guess I went off on a tangent over one little line... :)

Re:Backwards System

Sounds like he didn't sign a contract that left him creative and absolute control over the distribution of this work.

Who woulda thunk it... he signs a contract to get a company to publish and distribute his work, and doesn't retain absolute control? If he wanted complete control, he would have self-published. There are pros and cons of both, and to rip the publishing industry for a perfectly reasonable contract term is ridiculous. As self-publishing becomes more and more feasible given the internet, these restrictions will change. This is a sign of that change, and you should celebrate Wiley rather than lambast them.

Yet if they don't get it into print, it can't be used in a classroom setting. What a terrible system (hail capitalism).

What an imbecilic troll. The problem isn't capitalism, it's the inherent nature of a bureaucratic system -- it's resistant to change (for good reason -- there are lots of crappy ideas out there). This depends not at all on what kind of socioeconomic system is in place, and capitalism may indeed offer better opportunities for authors (do you think an autocratic economic system would enhance the ability of authors to get their material accepted in the classroom?).

Please note, I am not a free market idealist. I am also not an apologist for the publishing industry, and their treatment of authors. However, you severely misrepresent the fact that publishers such as Wiley do indeed provide services to authors, and to the public. (Editing, fact-checking, vetting, advertising, marketing, etc).

Disclaimer: I work in magazine publishing, which is an entirely different kettle of fish. I do, however, deal with book authors on a frequent basis, both self-published and thos epublished by major imprints.

Re:Backwards System

Dunno about Wiley, but my wife publishes popular fiction and her contacts give the rights to the publisher even though the work is copyrighted to her. There is a clause in the contract, however, something to the effect that 6 years after the publication date, she can petition to get the rights transfferred to her. But that might be particular to her publisher

IOW, even though she is the copyright holder, she can't redistribute the content in any form per the contract.

Re:Backwards System

Your sentiment makes sense, but I have to agree with the GP. I think people miss some key points here:

1) The ethical (not legal - the contracts settle that) question up until this point has been whether the publishing company has a right to restrict distribution through other channels. It's not a hard case to make on the publishers' side: Until recently, there was little reason to expect that free distribution would make print sales go up, and the data on that remain unclear. So, as a publisher, why wouldn't you want to resist other distribution models?

2) If I read TFA properly, it appears that the text being distributed is the text that was edited, copy edited, etc. by Wiley. As far as I'm concerned, that gives Wiley just as much moral claim to the work as the author. People underestimate the amount of time and effort that goes into the editing process. Writers, by and large, are not good writers. So why should they always retain copyrights?

Disclaimer: I've edited for a newspaper in the past, and I'm currently an editor for an undergraduate journal, so I'm pretty obviously biased against authors-above-all types. Mod appropriately.

Re:Backwards System

I've got a friend who used to work for a small boutique publisher, and I can tell you that publishers are an author's best friend. Without them the author's works would go nowhere. Fine, change the business model to distribute freely online, but as far as increasing sales of books, those books have to fome from somewhere.

I just don't get the 'cut the middleman' mentality. What exactly do you think the publishers aren't contributing that the authors could do themselves? Are you expecting authors to employ and manage editors, designers, printers, pr and marketing people, advertisers, a nation-wide system of sales reps, sales managers, shipping companies, and so on? Or are you suggesting that these roles aren't necessary? That's the same thing as saying that books should only be digital from here on out. The attitide that the authors should 'just get a loan' to fund these activities is hogwash since the only people who could get a loan of that magnitude for an unpublished manuscript are already established authors, and even then it would be iffy. Then people suggest that authors should just publish online and screw printed materials, but for most applications like textbooks that doesn't really work for the consumer--wouldn't you rather just have a book than having to print it out yourself, which could easily cost as much in ink and paper as a bound book would, while being more irritating? Also, e-book technology still sucks. Besides, the author would still need to employ the editing, pr, marketing & advertising people anyway, because if you don't know about a book, why would you buy it? The fact is, people happily pay for advertising because the return on investment is huge.

Wouldn't it be great if there was a company that had the capital to invest like a bank, but also the expertise to cull the few good manuscripts from the staggering pile of crappy ones, then print and market and distribute these works? Wait, that would be a publisher.

I acknowledge that in some specific cases self-publishing directly to the internet might be a good business plan. But to suggest that we abandon dead trees in most cases misunderstands the market. You said it yourself, "...if they don't get it into print, it can't be used in a classroom setting." Sure, good chunks of fat could be trimmed from the publishing world, but name one industry where this isn't true? I just think that the 'middle man' is necessary to the process.

Sorry, OP. I realize that most of my rant doesn't even apply to your main points. I just don't think the middle man is all that useless in most cases.

OT: Mirrored Content

Sorry for the off thread/topic reply, but in the intrest of visibility, here you go:

Part 1: http://momoshare.com/file.php?file=1911bc824177937 7bdad8bc9387b4177 [momoshare.com]
Part 2: http://momoshare.com/file.php?file=f88b489ca8f1dcd dc76778cee3ba9d7b [momoshare.com]

SHA1 Sums
b14f5b17f2284823cd803d2c1c01970ffe88684d seceng1.zip
740a0de7f86893326b074862abdf377c881734b3 seceng2.zip

Slashdotted

And now it's offline.

Why isn't there a tarball of all the PDFs?

Password Changing

What I want to know is if this guy supports the "change your server passwords every 90 days" crap. There are about 30 passwords that I need to remember for different servers here and the admins think that it's more secure to make the passwords change every 90 days, requiring the people to write down the passwords because they can't keep remembering them. To me, it seems like a much more secure idea to change the passwords when a person who knows one of the passwords leaves. If you wait for the 90 days to be up, you risk them getting in unauthorized anyway. Changing passwords for no good reason other than a time limit is just rediculous.

Re:Password Changing

The possibility of brute force is not an argument for changing passwords frequently, unless you catch someone trying to brute force it and change it to one they've already tried. Brute force relies on the statistical likelihood of guessing the password before the reason you want access goes away. Changing the password every 90 days has no bearing on the likelihood of it being guessed in a certain amount of time, unless what you change it to has a probability of being guessed of less than what it was by virtue of the brute force method employed.

The best thing to do is to change your password anytime there is a good chance that someone who should not know it does know it. That includes an employee leaving, evidence of an unauthorized access that could have been attained by having the password (possibly discovered by brute force or by other methods), theft of the business card you wrote it down on, etc. But it does not include the mere possibility that someone could guess it - changing the password has no real bearing on their chances of guessing correctly, unless it was something insanely simple before and changed to something reasonable.

You got it. Change the circumstances.

#1. Putting the password in your wallet is taking a less secure process (written password) and encasing it in a more secure container (your wallet).

#2. Change the login process to lock out the account for 15 minutes after 3 failed login attempts. That way, less random passwords can be used (and easily remembered). As long as there is a real person monitoring the logs and watching for attacks so that action can be taken.

#3. If it is something that can be cracked off-line (secret message), store the really long password on a USB key or something. Then put that key in your wallet (#1).

A single approach is NOT sufficient for every scenario.

Grr

Did the authors of said fine book manage to spell "Engineering" correctly?

Come On, 'Enginner' Is A Word

"Enginner": n. one who drinks gin and attempts to solve problems with gin and the mathematics of gin drinking. Ex. The sot that lay in the gutter claimed to be an enginner as a passerby spat on him.

"Enginnering": trans. v. to lay out, throw up, or manage as a gin drinker (see 'enginnerate').

more free books

google 'free books' or 'free books science' for a plethora of sites publishing or linking to books for which the copyrights have expired or been released.

"Share and enjoy!"

Widest audience .. but...

My goal in making the book freely available is twofold. First, I want to reach the widest possible audience

The book got featured in slashdot.But the server is down. Should have mirrored it in free servers atleast.

Two questions

1) Is it cool to include this in Project Gutenberg?

2) Does anyone have a link, or simple way, to download this entire book in one file or torrent?

SHA1SUMs

For those of you who actually downloaded the book, here are the checksums I got. Let me know if you got the same. Thanks.

83a9bddb0ebd272cdb54c4de00580b3489a63a6b SE-01.pdf
c35f69d6080db3e09f957303e197ac8a17d1bdbf SE-02.pdf
172313ac2ca8097c68440a57736df505d8dd0842 SE-03.pdf
e999076e677a7df800f799944c060707b4afe5a1 SE-04.pdf
d014a4974797568cf6ea792d4dc49f1842213b30 SE-05.pdf
1effa14958310ed5227cfc8ead3905f4d9001131 SE-06.pdf
56e0605f0236be4d1b09cf6c6f62bd76c8581587 SE-07.pdf
f59664e9a67040ed9281b5866d56ac44802cdd8d SE-08.pdf
2269d3a3460d911780c4e3e81a819b51754617e9 SE-09.pdf
93d007c521184516405e7b2327beab8e245de15a SE-10.pdf
3ffc2ac64bb07c4d599ec67adab0e00ca16e869e SE-11.pdf
0eba902e98efcd9c107857e286253ef7ada1be81 SE-12.pdf
791d3ef1aa163f55ff1b096b1f08d487ba3c0417 SE-13.pdf
b58649be6a297097e412ad319f3fdeceb054f69a SE-14.pdf
73f66ce309b3c28ca7173b332152266452473eb2 SE-15.pdf
7b61e8330ef2b09a5d937688521a553b5e47968e SE-16.pdf
d816db2e750734700ecffaa99673e88839f95555 SE-17.pdf
0b050d413010f43d2e80ea868c4e9ca4c7bf7ec4 SE-18.pdf
e83f9c08ad10ba534b191cc267a157624bb60dc0 SE-19.pdf
256a7f5f202ad92e539b21f1d232c3d6a6c40705 SE-20.pdf
6d5018caceffdb5154a625414bef877afdfc831c SE-21.pdf
1dcc67d39f345f27852c7b1f641f802bd8bd738a SE-22.pdf
00da949e75121aa387dc9e33e77460cf26268459 SE-23.pdf
fb809a4144b3205e1bc043dc0ca92baf623c0306 SE-24.pdf
4cee602bcd02ac32055f95798c5a3aa5201822ec SE-Bib.pdf
f3c7f992180fa42325020b8a93ed2b2fa93a5779 SE-FM.pdf

E-books lacking in important feature

But what's the point if you can't display it on your bookshelf among all the other tomes you've never read.

"Reading a book on security enginnering does not security enginneer one make."
- Wiseguy

reviews

User-submitted reviews would be welcom at theassayer.org [theassayer.org], a site I run that catalogs free books, and accepts reviews of them.

Useless

"Ross Anderson, author of 'Security Enginnering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)."

Pff. If the author of one of the best books on computer security can't even spell "engineering"---in the title of his book---then we need some better books!

Mirror

Since I'm too lazy to make a torrent, here is a mirror of the files, hosted on BaDonGo.com:
http://www.badongo.com/file/1324503 [badongo.com]

Here's the torrent.

Conveniently located at the Pirate Bay [thepiratebay.org]. No karma whoring for me!

The download link is dead

While I look forward to seeing the book, the link in the article doesn't go anywhere.

Spellcheck?

'Security Enginnering'? How is that new word pronounced?

Torrent available...

...right here: http://www.meganova.org/download/fc82c202cbbc557e7 0c067869fd0e6835e0b8be4.torrent [meganova.org]

Another mirror

I've mirrored the PDFs at:

farhanahmed.com [farhanahmed.com]

Passwords be gone!

Yes, and for those that are interested in propagating good security measures in their engineering feats should take a look a 2FA (2 factor authentication) architecture as a solution. There are many companies that offer this but one of the easiest to get going with from personal experience is the folks at http://www.cryptocard.com/ [cryptocard.com] . Beats using passwords and is easy to migrate from RSA key auth to this.

Re:I can't seem to get to the book for download.

Better yet, somebody throw up a torrent and link us to it.