Category: books

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus the human factor and finishes nicely with a section on business models. A few chapters about more about security without being a particular focus on the cloud(tm), but that’s not particularly a problem.

My only real complaint about the book is that with so many authors, things don’t always flow as smoothly as they could when moving from chapter to chapter. This is however made up for by the general high quality of the work. In particular, un addition to the authors mentioned above, you’ll also want to make sure to read the sections by Lori MacVittie, Brian Honan and Kevin Riggins.

This book is targeted at decision makers, managers and othesr who need to understand cloud from business view, so if that’s you, I encourage you to read this book. Definitely worth the price.

Book review: "The Human Contribution"

James Reason’s entire career was full of mistakes. Most of them were other people’s. And while we all feel that way, in his case, it was really true. As a professor of psychology, he made a career of studying human errors and how to prevent them. He has a list of awards that’s a full paragraph long, but perhaps most interesting is that he’s an honorary fellow of the Royal College of General Practitioners for his work in reducing medical errors. “The Human Contribution” is a broad, accessible and fun book on the human contribution to errors, failures and crises. At times, it rises from ‘merely’ thought provoking to awe-inspiring.

Part I includes a “mind users guide” including easily triggered failures of thinking, like tip of the tongue state. Part II covers unsafe acts, including (chapter 3) a set of ways of classifying errors, and the differences between rule based mistakes (applying a rule that doesn’t apply) and knowledge based ones, where people don’t know the right solution, and errors are extremely common. Chapter 4 covers violations, including a long discussion of why people violate rules:

For many acts of non-compliance, experience shows that violating is often an easier way of working and brings no obvious bad effects. The benefits are immediate and the costs are seemingly remote and, in the case of accidents, unlikely.

Chapter 5 covers different ways people think about unsafe acts. The “plague model” is that these things just happen. They’re unpredictable and hard to control. The “person model” is focused on individual unsafe acts and their origins. The “legal model” adds a moralistic aspect to the person model that “someone must be punished.” The chapter closes with a system model, showing how individual choices, the organization and its policies and procedures can come together in a variety of ways that influence accidents.

Part III is short, covering accident traps, recurrent accident patterns and culture in chapter 6, and the influence of a few significant accident investigations. (That is, where the investigations were significant for advancing the state of our understanding of accidents.)

Part IV is a rare touch in books on errors. It covers heroic recoveries in four ways: “Training, discipline and leadership,” focusing on two military retreats across long distance. Chapter 9, “Sheer Unadulterated Professionalism” covers in depth the rescue of Titanic survivors and Apollo 13, as well as British Airways flight 09 and BAC1-11 and surgical errors. Chapter 10 “Skill and luck” covers the intersection of skill and luck with the Gimli glider and United 232. When a Boeing 767 flying as Air Canada flight 103 lost power, the pilot was an experienced glider pilot, and the co-pilot had flown out of Gimli. The degree of luck that AC 103 was in range of Gimli, and that the co-pilot knew where the base was, is nearly incalculable. (The base, being closed, was not on the flight charts.) But without the pilots skill at unpowered flight, and his willingness to risk flying a 767 like a glider, the odds of a landing people walked away from were very low. Chapter 11, “Inspired Improvisations” covers the ways in which people’s unique skills and experiences can lead to unusual but effective solutions. The section closes with a chapter on “The ingredients of heroic recovery.” The actions covered here are heroic in many senses, and a fascinating collection of stories. But it’s more than that; it’s a set of lessons which can be extracted and applied elsewhere.

Part V, which closes the book, covers achieving resilience in a chapter on “Individual and Collective Mindfulness” and “In search of safety.”

The book has actually substantially influenced my thinking on product management and the tradeoffs between security, design beauty and time to market. That, perhaps, is another blog post. More importantly, this is an important book, and worth the time of readers of The New School.

It’s not that safety management and risk management are identical, but rather that they can and should inform each other. But the real New School angle to “The Human Contribution” is the underlying premise that we must study the real errors and even near-misses that systems produce, and how people react to them. It is only through that study that we can build systems which will be safe enough to satisfy us.

PS: Someone I spoke with at BlackHat recommended this book. Thank you!

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer.

From the store’s blog, “Grand Opening: June 11th

I’ve been helping David and Danielle a little with book selection because they’re good folks and I love great bookstores. I encourage Seattle readers to stop by.

Nelson Mandela


Twenty years ago today, Nelson Mandela was released from prison on Robben Island, where he was imprisoned for 27 years for considering violence after his rights to free speech and free association were revoked by the government.

I learned a lot about the stories when I visited South Africa, and then more when my mom sent me “The World that was Ours” by Hilda Bernstein. She was an activist and the wife of one of the “Rivonia Trial.” Her book is a highly readable account of what life was like, and how people who started out as reformers were radicalized by increasingly bizarre and ineffectual attempts by the government to exert control.

It also gives a good sense of how absurd the actions of the apartheid system became as time went on. I could make snarky comparisons to the TSA, and believe me, I’m tempted. But the simple truth is that as bad as things have gotten in the US, they generally don’t even approach the dysfunction which existed in South Africa.

Looking at South Africa today, it’s easy to forget that twenty years ago, the country was engaged in an active race war with government forces shooting into funeral crowds every weekend. The work that Mandela, Desmond Tutu, and F.W. De Klerk and others did to stop the violence and build the society which exists in South Africa today is one of the success stories of our time. Yes, it has deep imperfections, but so does the world.

Photo from the Apartheid Museum. On the left is a ballot box.

Today in Tyrranicide History

On January 30th, 1649, Charles I was beheaded for treason. He refused to enter a defense, asserting that as monarch, he was the law, and no court could try him. That same defense is raised today by Milošević, Hussien and other tyrants.

The story of how John Cooke built his arguments against that claim is told in entertaining and accessible depth in “The Tyrannicide Brief” by Geoffrey Robertson.

As his website says, “Geoffrey Robertson QC has been counsel in many landmark cases in constitutional, criminal and media law in the courts of Britain and the commonwealth and he makes frequent appearances in the Privy Council and the European Court of Human Rights.” So he knows what he’s talking about, and he knows how to tell an engaging story.

The principle that no one is above the law is an important one. So today raise a glass and remember John Cooke.

The Lost Books of the Odyssey

You should go read The Lost Books of the Odyssey. You’ll be glad you did.

I wrote this review in April of 2008, and failed to post it. Part of my reason is that I have little patience for, and less to say about most experimental fiction. I am in this somewhat like a luddite, unwilling to tolerate experiments which ought to have been kept confined to a laboratory. And so, knowing that this book won a prize worried me greatly, but for reasons which I’ll get to in a moment, I persevered, and I’m glad that I did.

The “lost books” consist of very short stories, usually of a few pages or so. The context, is of course, the Odyssey, and the actions of its heros and villians.

It falls into that class of writing which is simply a delight to read. The stories are beautifully crafted, surprising and casting new lights on old stories.

The richness and character of the writing is exceptional and engaging, all the more so for the origin and nature of the work. As Zachary Mason explains in the introduction, “The Lost Books of the Odyssey” were in fact lost and recovered, in a feat perhaps nearly as impressive for its cryptanalytic acumen as for its literary importance.

It is entirely worth reading, and since I first read it, it has been winning substantial literary prizes, and the New York Times calls it “dazzling.”

Finally, I should mention that Zachary and I were roommates at Miss Hall’s School for Precocious Youth in Arkham, Mass. I would like to offer my most sincere apologies for anything he remembers.

[Updated, fixed a spelling error]

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have a professional notetaker who is using this. It really makes the notes much more powerful and useful then just text. Imagine having notes with visual cues to (including but not limited to network diagrams) help you remember what happened. I’m sitting here looking at the posters, the notetaker made in real time with our discussions and it’s amazing how much more useful they are.

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a book that is as engaging as RSnake’s or Jeremiah’s blog, but even more so.
This is not a book on how to build secure websites, there are plenty of those already. This is a book for security practitioners who get to deal with the site after it’s been built and deployed. It is full of great advice and information about not just how to detect attacks, but also how to distinguish between human attackers, regular users, bots and spiders.
This book should be on the purchase list of every security geek and if Rob hadn’t graciously given me a copy, I’d have already sent him my $40. Send him your money and make him a rich man.