Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Beautiful Security", Andy Oram/John Viega

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKBEASEC.RVW 20091008 Beautiful Security , Andy Oram/John Viega, 2009, 978-0-596-52748-8, U$39.99/C$49.99 %E Andy Oram http://praxagora.com/andyo %E
    Message 1 of 1 , Jan 4, 2010
      BKBEASEC.RVW 20091008

      "Beautiful Security", Andy Oram/John Viega, 2009, 978-0-596-52748-8,
      %E Andy Oram http://praxagora.com/andyo
      %E John Viega
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2009
      %G 978-0-596-52748-8 0-596-52748-9
      %I O'Reilly & Associates, Inc.
      %O U$39.99/C$49.99 707-829-0515 fax: 707-829-0104 nuts@...
      %O http://www.amazon.com/exec/obidos/ASIN/0596527489/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0596527489/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 281 p.
      %T "Beautiful Security"

      The preface states that the intention of the book is to a) make sure
      that security books sell well, b) show that security is an exciting
      career, and c) demolish the idea that security is a separate component
      that can be added to any system. (The first is a tall order, the
      second is already a common belief among many who haven't worked in the
      field or the real world, and the third is so well established in the
      minds of so many that this book had better sell extremely well if it
      is to have any chance of success.) The work is directed at those
      interested in starting a career in technology, and interested in the
      cutting edge.

      With pretty much any collection of essays the quality varies. It is
      also true of this assortment, but the articles in this work are
      uninspired and uninspiring.

      The first paper notes the psychological factors that lead to
      insecurities, and which can be used to direct attacks against systems.
      (It promises to suggest how psychological factors can be used against
      attackers, but never delivers on that.) Another essay describes the
      common practice of creating fake wireless access points to collect
      financial and authentication credentials. A third suggests that
      security metrics can protect companies, but the two examples given are
      actually of situations where companies were using metrics: just not
      ones that would catch those specific situations. The underground
      economy involved in the organization of blackhat crime is covered in
      one piece, and presents material that is fairly simplistic from the
      perspective of those who have worked in recent malware research, but
      possibly surprising to those who have not. A review of credit card
      security issues in online commerce proposes to outline a new paradigm
      for such transactions, but ends abruptly without saying how such a
      thing might work. Another paper notes problems with online
      advertising, such as malware and click-through fraud.

      One excellent and detailed essay by Phil Zimmermann and John Callas
      describes the "web of trust" key signing and validation model from the
      PGP (Pretty Good Privacy) program. The honeyclient method of
      searching for malicious Websites is explained in another item. On the
      other hand, the following paper is simply a collection of diverse
      opinions without a theme. An article recommends project management in
      software development while another suggests making security a software
      requirement: both of these are admirable pieces of advice, but the
      papers don't provide any more convincing impetus to do so. A rambling
      dissertation on legal issues related to information security meanders
      through a variety of topics, without any central theme. The article
      on factors affecting the usefulness of audit logs is broadly
      comprehensive and to the point. The subsequent paper on incident
      detection examines a specific incident, but is otherwise a generic

      A bright spot in the book is Peter Wayner's intriguing description of
      a system of partial encryption of common databases, where visibility
      of the data depends upon location, which would have significant
      implications for e-commerce, customer privacy, cloud computing, and
      possibly even social networking. Unfortunately, the book ends on a
      slightly sour note, with a paper insisting that everyone is doing
      antivirus protection incorrectly, except the company for which the
      authors work.

      I'm not certain that this work will do anything for the sales of
      security texts. With a few exceptions, the pedestrian writing and
      ideas scarcely show that security is an exciting career. Only one
      item is close to the cutting edge. Security is not approached in a
      holistic manner in the material, so the notion of security as a
      fundamental constituent, rather than a separate component, of a system
      is unlikely to be dislodged.

      copyright Robert M. Slade, 2009 BKBEASEC.RVW 20091008

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Mum, why do you have to brush and brush and brush?
      To get all the knots out of my hair before I blowdry it
      (Pause...look...) Well, I didn't see any fall out...
      victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
      http://twitter.com/NoticeBored http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.