A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term.
I know you’re all smart and good looking and at least one of you will know the exact author and title.
A friend is trying to track down a science fiction story in which the president had a death sentence at the end of their term.
I know you’re all smart and good looking and at least one of you will know the exact author and title.
You probably know Dennis Fisher because of his writings on Threatpost or his Digital Underground podcast, where I’ve appeared several times. I wanted to help him spread the news that his first novel “Motherless Children” is now available. You should check it out.
I’ll get my review done shortly, but I wanted to help spread the word.
A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus the human factor and finishes nicely with a section on business models. A few chapters about more about security without being a particular focus on the cloud(tm), but that’s not particularly a problem.
My only real complaint about the book is that with so many authors, things don’t always flow as smoothly as they could when moving from chapter to chapter. This is however made up for by the general high quality of the work. In particular, un addition to the authors mentioned above, you’ll also want to make sure to read the sections by Lori MacVittie, Brian Honan and Kevin Riggins.
This book is targeted at decision makers, managers and othesr who need to understand cloud from business view, so if that’s you, I encourage you to read this book. Definitely worth the price.
Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer.
From the store’s blog, “Grand Opening: June 11th”
I’ve been helping David and Danielle a little with book selection because they’re good folks and I love great bookstores. I encourage Seattle readers to stop by.
On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants.
As his website says, “Geoffrey Robertson QC has been counsel in many landmark cases in constitutional, criminal and media law in the courts of Britain and the commonwealth and he makes frequent appearances in the Privy Council and the European Court of Human Rights.” So he knows what he’s talking about, and he knows how to tell an engaging story.
The principle that no one is above the law is an important one. So today raise a glass and remember John Cooke.
You should go read The Lost Books of the Odyssey. You’ll be glad you did.
I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, unwilling to tolerate experiments which ought to have been kept confined to a laboratory. And so, knowing that this book won a prize worried me greatly, but for reasons which I’ll get to in a moment, I persevered, and I’m glad that I did.
The “lost books” consist of very short stories, usually of a few pages or so. The context, is of course, the Odyssey, and the actions of its heros and villians.
It falls into that class of writing which is simply a delight to read. The stories are beautifully crafted, surprising and casting new lights on old stories.
The richness and character of the writing is exceptional and engaging, all the more so for the origin and nature of the work. As Zachary Mason explains in the introduction, “The Lost Books of the Odyssey” were in fact lost and recovered, in a feat perhaps nearly as impressive for its cryptanalytic acumen as for its literary importance.
It is entirely worth reading, and since I first read it, it has been winning substantial literary prizes, and the New York Times calls it “dazzling.”
Finally, I should mention that Zachary and I were roommates at Miss Hall’s School for Precocious Youth in Arkham, Mass. I would like to offer my most sincere apologies for anything he remembers.
[Updated, fixed a spelling error]
I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have a professional notetaker who is using this. It really makes the notes much more powerful and useful then just text. Imagine having notes with visual cues to (including but not limited to network diagrams) help you remember what happened. I’m sitting here looking at the posters, the notetaker made in real time with our discussions and it’s amazing how much more useful they are.
I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a book that is as engaging as RSnake’s or Jeremiah’s blog, but even more so.
This is not a book on how to build secure websites, there are plenty of those already. This is a book for security practitioners who get to deal with the site after it’s been built and deployed. It is full of great advice and information about not just how to detect attacks, but also how to distinguish between human attackers, regular users, bots and spiders.
This book should be on the purchase list of every security geek and if Rob hadn’t graciously given me a copy, I’d have already sent him my $40. Send him your money and make him a rich man.
I’ve been remiss in not posting a review of Tetraktys, by Ari Juels. Short review: It’s better written and has better cryptographers than the ones in any Dan Brown novel, but that’s really damning it with faint praise, which it doesn’t deserve.
It’s a highly readable first novel by Ari Juels, who is Chief Scientist at RSA Labs. The story is about a cryptographer who discovers an ancient plot involving a secret conspiracy. The ending is a little Stephenson-esque, insofar as it’s abrupt, but I got the feeling that that was authorial intent, not accident.
I enjoyed it, but since I don’t review a lot of fiction, I’m a bit unsure what to say about it. Is it better than Cryptonomicon? It depends how you weigh value per word. I was jolted into writing a short review by the new FTC rules, because I both bought a copy and was given one. I read the one I bought when Ari launched the book at RSA last year, and after I’d read it (but months ago) his publisher sent me a copy. Oh, and Ari’s employer has bought me dinner, but not in the last year. Finally, the link to the book is a non-affiliate link as far as I know. But given the complex messiness of Amazon linkage mechanisms, I’m actually unsure.
Since I haven’t read the copy I was given, and I already had a copy, was I really given anything?
As regular readers know, I regularly disclose such things and have since I started this blog. But as this example shows, putting long and complex rules in place will never cover the messy and emergent chaos which is the world in all its glory.
Anyway, you should buy a copy and read Tetrktys.
John Viega recently published a new book: The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know.
It’s a great read, especially if you are new to or are interested in the security industry as a whole. However, even if you are a long term security veteran, you will find it enjoyable.
The book is a series of essays addressing a range of topics from “The Cloud” to the state of the AV industry and everything in between. The essays aren’t long, but they are very thorough. This makes it easy to pick up the book become engaged and learn something quickly.
My only complaint is that the essays around privacy and anonymity. They weren’t nearly as deep as I was either hoping nor on par with the rest of the book. Despite this, the book is excellent and well worth reading. I highly encourage you to pick up a copy.
In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell.
The root cause of the issue is that the version of the Orwell novels available on the Kindle weren’t authorized editions. When contacted by the owners of Orwell’s copyrights, they deleted the books and refunded customers’ money.
All things considered, Amazon did something approximating a right thing in this matter. They didn’t have the right to sell the novels, and so they pulled the novels from the store and customers, and gave the customers a refund. About the only thing they could have done righter was to give something to the people who thought they had the books. The best thing to give them would have been authorized copies of the books, but store credit would be nice, too.
You can find a New York Times article on it, as well as a CNET article, as well as a Tech Dirt article that brings up the very good point that deleting the books was very likely against the Kindle terms of service, which is why Amazon likely should offer those people something.
Among all the handwringing, there are a number of stupid people — or perhaps people who should just know better — who somehow mutter dark things about how this serves people right for getting a device that has DRM in it. (As if they’ve never owned a DVD.)
Some of these people who should know better might think that I’m somehow in favor of DRM, so let me say that I am not. I am against DRM. I am also against nuclear war, swine flu, totalitarian governments, and bad service in restaurants. I’m also against one or two other things. None of them had anything to do with this little contretemps.
The issue is caused not by DRM, but by cloud computing. The problem is that Amazon has a cloud service in which Kindle customers can keep their e-books on Amazon’s shelf, and shuffle them around to any Kindle-enable device they have (like a Kindle proper, or an iPhone running the Kindle app). Customers can even delete a book from their Kindle and get it back from the cloud at a later date.
The event is that Amazon removed the book from the cloud, not that it had DRM in it. If you are concerned by this, you should be concerned by the cloud service. The cloud service enabled Amazon to respond to a legal challenge by removing customers’ data from the cloud. They didn’t need DRM to do it. In contrast, if iTunes store or the Sony e-book store had improperly sold a book, they wouldn’t be able to revoke it because they don’t have a cloud service as part of the store. (eMusic, incidentally, regularly adds and removes music from their store with the waxing and waning of desire to sell it.)
This is why we need to look at it for what it is, a failure in a business model and in the cloud service. Interestingly, the newly-formed Cloud Security Alliance predicts similar issues in which outside parties cause a cloud provider to shaft its customers. Not bad.
Their prescience is a bit limited because the proposed solution to this problem is to encrypt the cloud data with some fancy key management. That wouldn’t work here for the same reason that DRM isn’t an issue. If I know you have a resource, it doesn’t matter if magic fairies protect it, if I can delete it. It’s still good advice, it just wouldn’t have worked here.
What’s needed is some sort of legal protection for the customers, not technical protection. There are many potential warts here. If the owners of Orwell’s copyrights do not desire any ebooks of his works, it’s hard for Amazon to go buy legal copies for their customers (which would have been the most right thing to do). And it’s hard to argue that the seller shouldn’t do everything in their power to undo a sale they shouldn’t have made.
The correct way to deal with this is through some sort of contract arrangement to protect the customer. (The Cloud Security Alliance is prescient on this, as well.) That contract should be the Terms Of Service between the cloud provider and its customers. As TechDirt pointed out, this was likely a breach of Amazon’s TOS. They’re not supposed to delete books. They said they wouldn’t. Because of this, they owe something to their customers who were on the losing end of this breach of contract beyond the refund. I think ten bucks store credit is fine, myself.
They really need to do something, however, because without doing something, then someday someone will violate their TOS with Amazon and defend it with this breach of the TOS.
However, if you want to cluck your tongue, it should not be about buying goods with DRM, it should be about goods stored in the cloud. Everyone who offers cloud services ought to be clarifying now what they will do to protect their customers against lawsuits from outside parties. It can be crypto or contracts, it doesn’t matter, it just needs to work. This may be the first major cloud-based customer service failure, but it won’t be the last.
As I’ve said before, all non-trivial privacy warnings are mocked and then come true.
Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual.
Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s house, despite the fact that they don’t reduce crime. People can be detained for 28 days without charge, there are “anti-social behavior orders,” which allow a civil court to impose behavioral restrictions on children as young as 10 based on
low somewhat relaxed standards of evidence.
Being modern, the UK has outsourced most of its torture to other less reputable nations like Syria and the United States.
If you like books, if you like to read, you need a copy of Anne Fadiman’s “Ex Libris: Confessions of a Common Reader.” You especially need to read it if you care an iota about identity management, because the major themes in her essays are not only about books, but about identity. (In case you’re wondering, yes, she’s the daughter of Clifton and Annalee.)
The first major theme is about mixing books in a relationship. She opens Ex Libris with:
A few months ago, my husband and I decided to mix our books together. We had known each other for ten years, lived together for six, been married for five….
Sharing a bed and future was child’s play compared to sharing my copy of The Complete Poems of W. B. Yeats, from which I had once read “Under Ben Bulben” aloud while standing at Yeats’s grace in Drumcliff churchyard, or George’s copy of T. S. Eliot’s Selected Poems, given to him in the ninth grade by his best friend, Rob Farnsworth, who inscribed it “Best Wishes from Gerry Cheevers….”
George is a lumper. I am a splitter. His books commingled democratically, united under the all-inclusive flag of Literature…. Mine were balkanized by nationality and subject matter….
If you are charmed, you must by this book. I’ve omitted some of the funniest lines. If you doubt me, check Amazon as these pages are included in their peek inside.
The other important theme in her book is the difference between people who think that books are objects and people who think that books are information. People who think that books are objects shudder at the thought of writing in them, dogearing page corners, etc. I’m sure you can guess where George and Anne lie.
I am especially amused by this because I, too, have had the problem of co-mingling libraries. I’ve been divorced, and dividing the library was a horror. The horror; nothing else was that hard. It was such a horror that I flipped from being someone who views books as objects to one who views them as information.
Books can be replaced. Really. I’ve done it. The archaeologists of future civilizations will not sigh in a lament because they’re missing the one issue of National Geographic or Cook’s Illustrated that you threw out. Truly. Trust me on that.
My last spouse, however, is someone who firmly believes that books are objects. I understand some of this. She collects antique children’s books. I have a first edition of The Hunting of the Snark (a possession that I can blame Ms. Fadiman’s father for, with Martin Gardner as an accessory before, during, and after the fact). Yet that admission also proves that I’m not that sort of person. My present condition of loving information rather than objects is some sort of Laingian adaptation, I suppose. I understand books just the way that Thomas Mendip understands names.
She lusts after a Kindle. Not Ms. Fadiman, my spouse. It’s something I find amusing, because I’m inclined to get her one because the savings in floor space alone amortizes its value out in the first month. In California, floor space is a valuable asset if you’re a bibliophile. She is someone who screams, “Nooooooooooo!” if I suggest that we get rid of a crap novel we agree is crap and yet she is willing to convert from paper you own to bits on loan. Even if our house is Alexandria, future generations would thank their ancestors for the culling if they only knew, of course, which they couldn’t. Nonetheless, she desires a Kindle.
Worse, a friend brought one into work today, and I’d like one, too. I’ve downloaded the Kindle app to my iPod. The problem that remains is the problem I complained about in Identity Manglement last fall. What account should we buy the books under?
An elegant part of the Kindle is that if you have more than one, they sync their books, and even the bookmarks. If you have the iPod app, that syncs, too. It’s brilliant.
I have friends who are already a multi-Kindle household. The system works well, but you can’t have two accounts pointing to one Kindle if you want to share books. There are ways, I am told, to work around this limitation, but I don’t want to work around it. I don’t want to soak the books in a digital solvent that removes the stickiness. I just want to be able to read a book she bought, as if it were a — you know, book.
When it came to music, I had the foresight to create an account that we collectively buy music with. Emusic and iTunes both under the one identity. The community property we own can distribute itself over our laptops and iPods.
But we’ve been buying books from Amazon for ages, each of us. There’s no real problem with taking that email address and giving it the Kindles, but I don’t want to. I want Amazon to understand that there are households where after a lot of thought, after years of agonizing, the books have been merged. They should do that for Kindles, too.
It’s easy enough to do. Please do it. I wonder what Anne Fadiman would do.
Our publisher sent me a copy of Raffael Marty‘s Applied Security Visualization. This book is absolutely worth getting if you’re designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They’re useful far beyond security. The chapter I didn’t like was the one on insiders, which I’ll discuss in detail further in the review.
In the intro, the author accurately scopes the book to operational security visualization. The book is deeply applied: there’s a tremendous number of graphs and the data which underlies them. Marty also lays out the challenge that most people know about either visualization or security, and sets out to introduce each to the other. In the New School of Information Security, Andrew and I talk about these sorts of dichotomies and the need to overcome them, and so I really liked how Marty called it out explicitly. One of the challenges of the book is that the first few chapters flip between their audiences. As long as readers understand that they’re building foundations, it’s not bad. For example, security folks can skim chapter 2, visualization people chapter 3.
Chapter 1, Visualization covers the whats and whys of visualization, and then delves into some of the theory underlying how to visualize. The only thing I’d change in chapter 1 is a more explicit mention of Tufte’s small multiples idea. Chapter 2, Data Sources, lays out many of the types of data you might visualize. There’s quite a bit of “run this command” and “this is what the output looks like,” which will be more useful to visualization people than to security people. Chapter 3, Visually Representing Data covers the many types of graphs, their properties and when they’re approprite. He goes from pie and bar charts to link graphs, maps and tree maps, and closes with a good section on choosing the right graph. I was a little surprised to see figure 3-12 be a little heavy on the data ink (a concept that Marty discusses in chapter 1) and I’m confused by the box for DNS traffic in figure 3-13. It seems that the median and average are both below the minimum size of the packets. These are really nits, it’s a very good chapter. I wish more of the people who designed the interfaces I use regularly had read it. Chapter 4, From Data to Graphs covers exactly that: how to take data and get a graph from it. The chapter lays out six steps:
There’s also a list of tools for processing data, and some comparisons. Chapter 5, Visual Security Analysis covers reporting, historical analysis and real time analysis. He explains the difference, when you use each, and what tools to use for each. Chapter 6, Perimeter Threat covers visualization of traffic flows, firewalls, intrusion detection signature tuning, wireless, email and vulnerability data. Chapter 7, Compliance covers auditing, business process management, and risk management. Marty makes the assumption that you have a mature risk management process which produces numbers he can graph. I don’t suppose that this book should go into a long digression on risk management, but I question the somewhat breezy assumption that you’ll have numbers for risks.
I had two major problems with chapter 8, Insider Threat. The first is claims like “fewer than half (according to various studies) of various studies involve sophisticated technical means” (pg 387) and “Studies have found that a majority of subjects who stole information…” (pg 390) None of these studies are referenced or footnoted, and this in a book that footnotes a URL for sendmail. I believe those claims are wrong. Similarly, there’s a bizarre assertion that insider threats are new (pg 373). I’ve been able to track down references to claims that 70% of security incidents come from insiders back to the early 1970s. My second problem is that having mis-characterized the problem, Marty presents a set of approaches which will send IT security scurrying around chasing chimeras such as “printing files with resume in the name.” (This because a study claims that many insiders who commit information theft are looking for a new job. At least that study is cited.) I think the book would have been much stronger without this chapter, and suggest that you skip it or use it with a strongly questioning bias.
Chapter 9, Data Visualization Tools is a guided tour of file formats, free tools, open source libraries, and online and commercial tools. It’s a great overview of the strengths and weaknesses of tools out there, and will save anyone a lot of time in finding a tool to meet various needs. The Live CD, Data Analysis and Visualization Linux can be booted on most any computer, and used to experiment with the tools described in chapter 9. I haven’t played with it yet, and so can’t review it.
I would have liked at least a nod to the value of comparative and baseline data from other organizations. I can see that that’s a little philosophical for this book, but the reality is that security won’t become a mature discipline until we share data. Some of the compliance and risk visualizations could be made much stronger by drawing on data from organizations like the Open Security Foundation’s Data Loss DB or the Verizion Breaches Report.
Even in light of the criticism I’ve laid out, I learned a lot reading this book. I even wish that Marty had taken the time to look at non-operational concerns, like software development. I can see myself pulling this off the shelf again and again for chapters 3 and 4. This is a worthwhile book for anyone involved in Applied Security Visualization, and perhaps even anyone involved in other forms of technical visualization.