Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Image

The Myths of Security 216

brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review.
The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
author John Viega
pages 260
publisher O'Reilly Media
rating 8
reviewer Ben Rothke
ISBN 978-0596523022
summary A contrarian provides an interesting look at the information security industry
The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

*

This discussion has been archived. No new comments can be posted.

The Myths of Security

Comments Filter:
  • Myths of Security? (Score:3, Interesting)

    by erbbysam ( 964606 ) on Monday August 31, 2009 @02:23PM (#29265013) Homepage
    There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...
    • by mcgrew ( 92797 ) * on Monday August 31, 2009 @02:28PM (#29265075) Homepage Journal

      There are no myth's of security

      Sorry, but I'm going to have to send you to Bob's office [angryflower.com].

    • Your comment isn't very intelligible. Are you confusing cryptography with computer security, perhaps?

    • Re: (Score:3, Insightful)

      by smartr ( 1035324 )
      There's plenty of monetary incentive for math to come forth and reverse things. For all we know, P = NP and public key encryption is broken as a pure concept. But we don't, and no one is able to step up and take tons of money to prove one way or the other.
    • by Forge ( 2456 ) <kevinforge AT gmail DOT com> on Monday August 31, 2009 @03:59PM (#29266383) Homepage Journal

      There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

      I disagree.

      There are many security myths that have made it into company policy etc...

      For-instance the idea that forcing all staff in a mid sized to large company to update their passwords every months or two is somehow more secure than allowing them to keep the same password indefinitely.

      In practice, this causes them to use simpler passwords that just barely make whatever limits are imposed (I.e. a single number and one capital letter) and to rotate throgh slight modifications of this weak password.
      Password#1
      Password#2
      Password#3

      Etc...

      Or worse yet. Some just write down the password in a place that's easy to find.

      As for those Algorithms. Sure they can be broken. As long as you update them faster than the old ones are broken you should be fine. What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware.

      • Re: (Score:3, Insightful)

        "What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware."

        Which in turn makes my machine run like it's running malware and requires an additional core just to handle all the "security" software I have installed.

    • Anything that is done by man can be undone by man. Yes, the algorithms can be reversed, just not quickly. That may change, but security has almost always been about making the potential "win" too difficult to achieve. Think about it. In medieval times, castles and fortresses were built on top of hills/mountains so they would be more difficult to breach. Were they ultimately defeatable? Of course, but the cost in either human lives, money, or both, was often too great to warrant an attack.
    • Re: (Score:2, Insightful)

      by Gverig ( 691181 )

      Your statement, that's a myth, one of many. Sure, there is no ABSOLUTE security, but nobody claims that. There is no absolute physical security either- with enough resources anything can be stolen and anybody can be killed. It's the understanding of how secure you are in any given situation and how to improve your chances of staying safe (in virtual or real worlds) is what defines security and surely, that exists.

      • But with physical attacks, the attacker must make the effort to get physically close to you. Even in large crowds this means only a few potential attackers.

        On the internet, by contrast, anybody can attack your system. That's several millions of potential attackers. The probability that you are under attack is close to 100%.

    • > the state of information security can be summed up in the book's final three sentences What the F***?! It totally spoiled the end for me, without even a "SPOILER" warning. I don't wanna read the book anymore.
    • First off, there are cryptographic protocols which don't involve one-way-functions. Consider one-time-pad, for example.

      Secondly, the bigger mistake you're making here is presuming that a lack of absolute security is a lack of security. Security isn't a binary predicate: something that you have or don't have. You could just as easily argue that you don't have any security because there are human being who run the programs and control authorization and human beings are fallible. Really, the lack of crypto

  • by tacarat ( 696339 ) on Monday August 31, 2009 @02:23PM (#29265015) Journal
    Security does not actually protect you, it delays others. If you don't implement enough delays to allow yourself to find out you're being attacked and to act accordingly, it's all useless.
    • It can protect you (Score:5, Insightful)

      by davidwr ( 791652 ) on Monday August 31, 2009 @02:55PM (#29265425) Homepage Journal

      If it raises the cost of hurting you to higher than the adversary is willing to spend, it protects you.

      The trick is knowing how much security is worth paying for.

      If the adversary is willing to spend $1000 to attack you, and you have to spend $100 a month to raise the cost of an attack to $1001, and if a successful attack will cost you $1 and the number of successful attacks will be 1 per decade because face it, you don't have much to offer, then it's not cost-effective. On the other hand, if an adversary is willing to spend the same $1000 and it will cost you the same $100 a month to make yourself too expensive to attack, but each breach will cost you $500 and there will be about 1 breach per month if you don't invest, then suddenly things look different.

    • Oh damn, but that means I have to read logs...
  • by oldspewey ( 1303305 ) on Monday August 31, 2009 @02:24PM (#29265021)
    Lots of friends and family - people who are otherwise thoughtful, intelligent, and clueful - simply don't think about security. That will always be the weak link. You can't "design around" the casual negligence of hundreds of millions of users.
    • Re: (Score:2, Insightful)

      by Omnifarious ( 11933 ) *

      I try to educate people carefully and non-confrontationally every chance I get. It's an uphill battle, but one I think is worth fighting.

    • by fuzzyfuzzyfungus ( 1223518 ) on Monday August 31, 2009 @02:36PM (#29265215) Journal
      You might well be able to, actually. You just can't preserve the user's freedom while doing so.
      • Re: (Score:2, Interesting)

        by arminw ( 717974 )

        ...You just can't preserve the user's freedom while doing so....

        Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.

        • by cusco ( 717999 ) <brian@bixby.gmail@com> on Monday August 31, 2009 @03:20PM (#29265763)
          Wow, just imagine the uproar if M$ tried something like that. I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".
          • Re: (Score:3, Insightful)

            I'm sure MS would never do that (directly) to Windows; but that is basically the XBox360.

            Now, getting people to cheer them for it is something that only one of the Steves can manage.
            • Ironically enough, my XBOX360 crashes more than my home computer, work computer and 5 lab computers all combined.
          • by s.bots ( 1099921 )

            "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin

            I think your sig is a more valid contribution to the discussion than your comment... You can toss as many security obstacles on a computer as you can, but if your end user is a knuckle-dragger who loves his FREE PR0N! and VI@GR4, then your attempt at security is wasted.

            • by arminw ( 717974 )

              ....then your attempt at security is wasted....

              Well yeah, for those users who don't care about security. However, the majority of iPhone and iTouch users DON'T jailbreak their gadgets, because they do care about security or maybe they are just too lazy to care. The vast majority of users would be content to get guaranteed secure solutions on their Macs, just like they get on the iPhone. The small minority of the rest, especially /.ers, would of course figure out how to load lots of pron and other malware on

            • knuckle-dragger who loves his FREE PR0N! and VI@GR4

              The idea that people buy stuff from spam is a myth rooted back when spammers were small time chumps. Modern spam operations are basically a component of organized crime funded by some mafia or big government. These people don't make money off Pr0n or V1@gr4, they make money off pump and dump schemes and fucking with government and private computer systems.

            • by epine ( 68316 )

              "Think about how careless the median person is. Now, realise that half of them are carelesser than that." - George Carlin amended

              Strangely I had just finished reading a PDF by Allison Randall about tagmemics when I stumbled across the line

              A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.

              Now, finally, I understand etic and emic.

          • You think a the mythical "normal joe" is ever going to go "outside the box" and install stuff that isn't in the Ubuntu repository? I doubt it. If Ubuntu suddenly had 50% market share, 49.5% of that market would be installing applications only from the repository.

          • by Fred_A ( 10934 )

            I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".

            I can't think of many that would care. Most of them would probably consider it convenient. After all a fair number of those very same people manage to hose their machines with worrying regularity. And that's among both home and corporate users.

            I know I'd love it if Microsoft set up a Linux distro style repository with some half-decent quality checking. I'd have much less work to do for people around me fixing their broken machines (even though I hardly know anything about Windows).

      • by lgw ( 121541 ) on Monday August 31, 2009 @03:28PM (#29265897) Journal

        Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice. A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for. Hopefully people will focus on that, instead of the myth of the "educatable user".

        Limiting what individual pieces software can do, rather than what the user can do, is key. Admin/root acount vs normal account is a first step, but no where near a last one, as it still requires too much user smarts. SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there. Taking a few more steps in this direction would be real research, and profoundly improve computer security.

        Thinking that the answer is to improve the user instead of the system only makes sense from a religious perspective (and even them, half the religions would disagree that this is possible).

        • SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there.

          In the broader sense, SE Linux fails because it is a fucking bear to configure and use, even for a relatively adept technical user. I can't imagine unleashing that thing on an "average" person.

          • by lgw ( 121541 )

            It can't work if the user has to configure the per-process jails. The jail should come with the software, both from an authoritative source. Typical malware can only change the prcess, not the jail, so can do only limited damage (i.e., you can prove the malware could not install a rootkit). However, this ultimately fails because the malware will social-engineer the user into jailbreaking the malware. Still, that approach is better than the "root or not" model, because the finer-grained process permissio

        • A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.

          How about this security model:

          Hunt down the people who deploy malware and take them out of circulation.

        • You make some valid points, but I don't think the myth of the "educatable user" is a myth at all. There's a reason why most security experts, and AV-software vendors, emphasize the need for educating users. It's not to deflect responsibility from the software. It's not to undermine their own business model. It's because you need, both, reasonably secure software and reasonably educated users. Sure, you can't expect users to be perfect; even the security experts themselves are fallible. But without basic use

        • Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice.

          Somehow that makes me think of the name "Theo". I don't know why. Must be some coincidence. ;-)

    • Re: (Score:2, Insightful)

      by mraudigy ( 1193551 )
      The biggest problem and risk with computer security is ultimately the users. And, unfortunately, you just can't fix stupid...
    • by nweaver ( 113078 ) on Monday August 31, 2009 @02:40PM (#29265257) Homepage

      It is a great failing in our industry that its viewed as a problem that "most don't think about security".

      Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.

      EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.

      Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.

      • by fuzzyfuzzyfungus ( 1223518 ) on Monday August 31, 2009 @02:46PM (#29265327) Journal
        On the minus side, while your car may be safe, having to get one of the keys replaced will make you feel like your wallet has been stolen. Obviously, that isn't intrinsic to the technology, a similar system could have been implemented as a cheap industry standard; but that moment of technological change(while it did increase security) also allowed the vendors to strengthen their positions.
      • Re: (Score:3, Interesting)

        Modern cars are actually a pretty bad example. Your new car is "far more secure" against the average destitute crackhead non-pro thief, but cracking codes and cloning RFIs is actually pretty trivial for a pro. So it appears reasonable to conclude that (to paraphrase an old saw), "even the best security only works against the honest and the incompetent".
        • If you are smart enough, organized enough and motivated enough to clone RFIs, you probably won't steal cars though. Instead you might use your skill to, say, gain physical access to somebody's point-of-sale system and steal a few thousand credit card numbers.

      • Re: (Score:3, Insightful)

        Yes, but with the car you still have trust issues. As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door. Or when I give my keys to a friend I have to trust that he has good judgment and at least basic driving skills.
        Many of the run-of-the-mill infections are based as much on misplaced trust ("I wanna see dancing bunnies") as they are on weaknesses in the system itself. And trust isn't something a compu
        • BTW, this is to say nothing of the dumbasses who leave the keys in the car while they run into the store and the like. As they say, you can't cure stupid.
        • As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door.

          Or that he does work for the hotel but still won't just go for a joyride.

      • "It is a great failing in our industry that its viewed as a problem that "most don't think about security".

        Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them."

        Strictly speaking about IT security systems, I agree, security systems should be much more "automagic" then they are today. But if you're relying on an IT system for security you're already

  • Common Problem (Score:3, Insightful)

    by SilverHatHacker ( 1381259 ) on Monday August 31, 2009 @02:26PM (#29265057)
    Security is only one of many issues that could be vastly improved if people cared more than they currently do.
    • by migla ( 1099771 )

      Security is only one of many issues that could be vastly improved if people cared more than they currently do.

      Yes. And this raises the question of what issues can't. What are the issues we should postpone, because they only require some polish? I'd love to see a prioritized list of all the issues.

    • by Meshach ( 578918 )

      Security is only one of many issues that could be vastly improved if people cared more than they currently do.

      I think you have identified the major problem with security: people do not care. They do not want to spend time setting up a firewall, evaluating sites, or patching a system. They want a computer to be like a toaster: you take it out of the box and it works right away. And it keeps working with no intervention. Until computers get to that point it will be a continual problem.

      • Re: (Score:3, Insightful)

        The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

        • Re: (Score:3, Insightful)

          by Meshach ( 578918 )

          The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

          I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

          • The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

            I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

            I know everyone here hates it, but that's what Ubuntu is for.

          • The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

            I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

            Ironically, most major Linux distributions provide exactly that - the least effort to system maintenance, hiding the things users' really don't care about and providing what they do. uBuntu is very good about it; and I'd imaging RHEL and SLES are too.

            P.S. I always wondered why Novell choose to go with SLES - it's just so easy to say as "sleaze" and doesn't make a good pnuemonic impression.

          • by lennier ( 44736 )

            "They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part."

            And that's not a bug in the user, it's a feature. If we're not using computers to *decrease* our cognitive load, but to increase it, then both we and the software designers are doing it wrong.

            A nifty command that doesn't do what you want is not actually as nifty as it thinks it is.

      • Perhaps the policy sucks and the people implementing the policy dont understand "security". Places that like to have you change your password once a month. Worse, websites that have you create a password with punctuation and a huge length. These things aren't secure. All they do is force people into writing the password down or saving it as a text file.

        "Blame it on the user" is always a cop out. Blame it on the idiot paranoid sysadmin. Blame it on the idiot programmer who can't be assed to design a us

    • Re:Common Problem (Score:4, Insightful)

      by bberens ( 965711 ) on Monday August 31, 2009 @03:04PM (#29265535)
      I'm sure I'll be modded down for this, but I don't see why a company or person SHOULD concern themselves more with security than they do currently. A simple cost/benefit analysis of what it actually entails to become "secure" shows that it's simply not worth it. It's the same math that goes into determining whether to do a vehicle recall and whether or not to install a home security system. If you look at it in those terms, you'll see we're dramatically over-spending on security.

      And yet... I'm often considered paranoid by my peers (IT and otherwise) with respect to my personal information.
      • Re: (Score:3, Insightful)

        by plopez ( 54068 )

        Part of the problem is building it in from the beginning. There is much more fun and/or marketing appeal to build in eye candy, support the latest games, multi-media capabilities, mobile devices support etc. than to design in security.

        A vendor or kernel programmer group should design it in from the ground up. But there isn't really any money in it for vendors and few programmers think of it as fun. With the exception of these guys maybe http://www.openbsd.org/security.html [openbsd.org]

        So in other words, many people are

      • These people didn't spend too much on security. (At least the right type of security)
        http://en.wikipedia.org/wiki/Barings_Bank [wikipedia.org]

        Barings Bank (1762 to 1995) was the oldest merchant bank in London[1] until its collapse in 1995 after one of the bank's employees, Nick Leeson, lost £827 million ($1.3 billion) speculatingâ"primarily on futures contracts.

        After that, many banks implemented rules to prevent that. Some were cheap, "Make sure every employee takes at least 2 weeks vacation at a time". Some were expensive like making dozen of people sign off on every decision.

        There are cheap ways to achieve the most benefit from your security dollars. There's also a lot of expensive security theater.

  • by Anonymous Coward on Monday August 31, 2009 @02:29PM (#29265107)

    See, I have no security. Anyone can access my data. Folks come across the data and think, "There's no security. This can't be real!" I throw in some names like "Dick Hertz, Harry P. Ness, Mike Hunt, Haywood Jablowme, etc..." and the data thieves think it's bogus.

    I call it "Security through rudenss."

  • by castironpigeon ( 1056188 ) on Monday August 31, 2009 @02:31PM (#29265133)
    If the book can be summarized in those last three sentences is it really worth the read? I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.
    • Re: (Score:3, Funny)

      by kalirion ( 728907 )

      I think the solution is clear - we need biometrically protected stickies!

    • by yali ( 209015 )

      I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.

      What I suspect many /.ers do not adequately consider is that the most ridiculously complex security systems are especially likely to be thwarted by user behavior.

      The folks who design security systems need to realize that human beings are part of the system (i.e., pay attention to usability and to the peculiarities of human cognition, motiva

  • While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.

    Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Po

  • Thanks! (Score:5, Interesting)

    by viega ( 564643 ) <viega&list,org> on Monday August 31, 2009 @02:42PM (#29265285) Homepage
    Ben, Thanks for the positive review. I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection). But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old. John
    • So this book was written to educate fanboys about their bad habits? I don't need another book on security that assumes I'm an irresponsible, apathetic, zealot. Your apparent attitude has just unsold this book for me.

    • Re:Thanks! (Score:4, Insightful)

      by kevjava ( 259717 ) on Monday August 31, 2009 @03:40PM (#29266107)

      But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old.

      The thing is, you're not convincing me that the book is out of date. There is plenty of material in the Internet that is over a decade old and is still relatively current. I read the Cathedral and the Bazaar [catb.org] for the first time last month, and drew a good amount of benefit from its words, even if I'm not ready to swallow it whole. The Mythical Man Month [wikipedia.org] shed quite a bit of perspective on project management in a field that our industry has fifty or so years of experience in, and yet we still do terribly at.

      The principles of cryptography are still the same today as they were in the days of the Roman Empire and the Caesar Cipher, with all the bits about Alice and Bob with Mallory in the middle. Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

      I'm no Schneier "fanboy", and haven't actually read the book; I just genuinely want to know.

      • Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

        The field moves very fast because it is an "arms race." On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition.

        • by lennier ( 44736 )

          "On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition."

          I'm not convinced either. If the fundamental underlying assumptions of a field change completely in ten years, then surely they weren't fully understood to begin with and we shouldn't listen to what the new trendy ideas are either. Come back when you've got something to say which won't be invalidated in the next patch release.

          Trends and fashions and demographics ch

          • If you even have to think like it's an arms race, you're doing it wrong to begin with.

            Tell that to antibiotics, MRSA, and such...The "wrong" way is sometimes better than no way.

            Trends and fashions and demographics change. Mathematical principles don't.

            But that is the problem. Mathematics won't solve the security problem. Security is a people problem.

            The math might not have changed. But the engineering principles are based on what is feasible on today's (+10 years) hardware. So the math behind public-key

      • No Need (Score:3, Interesting)

        by omb ( 759389 )
        Well I have read the book and the much funnier "Secrets and Lies" AC about 3 times and Secrets and Lies more. First AC is in the nature of a scholarly review book and introduction to mathematical and procedural cryptography. It says nothing DEFINATIVE about particular ciphers but DOES make the point that all cryptography depend on mathematically difficult problems that Mathematicians have an annoying problem of simplyfing, and this is the nature of the MD5 and SHA1 attacks, and the advice to "walk not run t
    • Anyone who draws security inferences from a book without taking into account the papers due to be published next week is hopelessly out of touch.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I met John Viega at defcon and he seemed put off that people didnt know him. Hes got a chip on his shoulder - especially about Schneier - Viega doesnt have anything but derivative works to his name and knows it.

      This books is basically a manifestation of his personal self esteem issues, hes making up a windmill to tilt at. If theres any myth about security - its him. Hes a hack repeating other peoples ideas to create a place for himself.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This book would have been better off as a series of blog posts. At least then people wouldn't expect things like internal consistency.

      Seriously, was publicly disclosing what you consider to be a harmful vulnerability two chapters after your rant about how bad full disclosure is intentional irony? Or did you just not proof read your own book?

  • I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

    Case in point, SQL injection att

    • by sydb ( 176695 )

      I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

      Don't blame the developers, at l

    • "many developers will just dismiss the extra work."

      Or it will be their managers?

  • The problem is not computer security but security, period. Most physical security (locks, alarm systems) is based on obscurity, barriers to entry that are easy to leap, and overall bad design. Why would it be different for computer security?

    • Physical security and securing your Internetworked computer are actually qualitatively different issues.

      Sure, your network security can be circumvented if physical access is easy.

      However, ANY criminal ANYWHERE in the world can get at your insecure Internetworked computer. Furthermore, they can often do it in automated fashion with minimal risk!

      Physical access, on the other hand, requires that the criminal show up in person. That vastly limits his scope for criminal behavior and vastly increases his risk.

  • From the book: "Even though I recently retired from McAfee, I still believe it is doing far better than the rest of the security industry for a few core reasons."

    Google "Who is John Viega" I get this: John Viega is CTO of the SaaS Business Unit at McAfee and the author of many security books, including Building Secure Software

    Sorry folks, but I don't believe that McAfee is the end-all and be-all authority on security. I'll read the book, and see what I can learn, but McAfee and I go back a long way. It's

    • > McAfee and I go back a long way. It's been one crummy relationship.

      I dunno, man. Back in the early 90s, their e-mail tech support was top-notch.

  • Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that give

    • From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology"

      If the vendor can't explain how their security works without compromising it, then it's not security, it's obscurity and it's also probably snake-oil.

  • by luddite47 ( 907624 ) on Monday August 31, 2009 @04:24PM (#29266741)
    How many books have this stupid subtitle?
    It must work...
  • Now reviewers of books on Slashdot shill their own books as proof of their own credibility as a reviewer? Awesome.

Keep up the good work! But please don't ask me to help.

Working...