Category: books

Read any good books lately?

Do share your opinions and suggestions.
Personally, I don’t read enough, and I stay within a too-narrow comfort zone of UNIX geek material. Help me, and other EC readers similarly situated. It’d be nice if the techie side of infosec was not the subject (Rich Bejtlich has that covered anyway)
I wrote up a review of Bryan Skyrms’ The Stag Hunt and the Evolution of Social Structure a while back, and I recommend it highly (the book, not the review).
I also liked Amartya Sen’s Rationality and Freedom.

A Moment of Silence

Ahmet Ertegun has passed away. Ertegun founded Atlantic Records because he loved music, and at 83, the BBC reports:

He suffered a head injury when he fell at a Rolling Stones concert at New York’s Beacon Theatre in October, and died after slipping into a coma. (Emphasis added.)

His book “What I’d Say: The Atlantic Records Story” is both a beautiful coffee table book, and a record of the rise of jazz, blues and rock. By the 1970s, the world seemed to be veering off in directions that Etergun didn’t fully understand, but that’s ok: He’d been a taste-maker and passionate advocate for his artists for a full half-century.

If you still own records or CDs, go take a look at how many of the artists you love released on Atlantic. Play some. It’s what Ahmet would have wanted: to be remembered for the music he brought us.

Security Development Lifecycle, the Book

sdl-book.jpgMichael Howard announces the imminent availability of his new book, “The Security Development Lifecycle” by Michael Howard and Steve Lipner:

This time the book documents the Security Development Lifecycle (SDL), a process that we’ve made part of the software development process here at Microsoft to build more secure software. Many customers, press, analysts, and, to be honest, competitors want to know more about what we’re doing in the software engineering space to shore up our software’s defenses. And thanks to the SDL, we’ve seen good progress to date (read: in the range of 50% reduction in vulnerabilities, sometimes more!)

There’s a lot of information about not only what they’re doing, but why, and what happened along the way. I’m looking forward to it.

"The Far Enemy"

far-enemy.jpgI’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time.

The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” the United States. Georges is clearly deeply immersed in Jihadist debate, and traces much of the history and character of those debates.

It was a deeply challenging read, on several levels. First, Georges orientation is so close to the Jihadists that he offers up distinctions which seem like the splitting of the thinnest hairs. He also seems to express sympathies for the jihadist movement in sentences like “At this stage, it is difficult to see how and if jihadis will ever be able to rescue their movement from terminal decline and decay.” In other places, he refers to the murder of civilians as “military operations.” Yet others, he made important assertions that I would have liked to see explored, and simply followed them with “suffice it to say.”

However, understanding the orientation of the enemy is important. It allows you to select actions to constrain the enemy’s responses. The Far Enemy expanded my understanding of Jihadist orientation.

Before digging into of of those arguments, I’ll be clear that I’m not an expert on this, and am restating Georges’ argument. There is assertion, put forth by a set of Jihadists in the 50s and 60s that jihad is not only a collective responsibility, but an individual one. There is also the assertion that anyone witnessing great injustice may call for Jihad, without the full support of the clergy. This is (apparently) at odds with more traditional jurisprudence, which requires the clergy to call for jihad.

Thus when reading Jonathan Rauch’s article “A War on Jihadism,” I was surprised to see this:

“I think defining who the enemy is is a real problem in this war,” says Mary Habeck, a military historian at the Johns Hopkins University School of Advanced International Studies. “If you can’t define who’s a real threat and who’s just exercising free speech, it’s a problem.” As it happens, Habeck is the author of one of three new books that, taken together, suggest the time is right to name the battle. It is a war on jihadism.

If it is actually the case that an individual, such as Osama bin Ladin, or Zawaqari, can not declare jihad on his own, then that seems part of a reasonable basis on which to decide who is a threat, and who is exercising free speech.

This test is not so bright-line as I would like. What to do with those who claim that jihad is a personal responsibility, that an individual may call for it, and that whatever provocations exist are not enough to justify such a call?

One of the basic precepts of the nation state system, which distinguishes it from predecessor systems, is that the state has a monopoly on violence, and uses that violence in furtherance of policy, not personal, aims.

Such a distinction also fails to address (say) the Iranian death sentence on Salman Rushdie, or their President’s call to wipe Israel off the map. But it seems essential, as part of preserving the nation-state system, to assert that individuals may not invoke armed struggle, and this is an enemy which nation states can rally to fight.

Of course, actually bothering to fight an individual lowers the state to a smaller, less grandiose level, but that seems unavoidable.

[Update: Don’t miss the closely related “Area Islamic Militant All Talk,” at The Onion Radio News.]

How New Ideas Emerge From Chaos

einstein-blackboard.jpgThere’s an interesting contrast between “The Problem With Brainstorming” at Wired, and “Here’s an Idea: Let Everyone Have Ideas” at the New York Times.

The Problem with Brainstorming starts out with some history of brainstorming, and then moves to its soft underbelly: The tendency of groupthink to emerge from groups:

Thinking in teams, and pitching other people’s ideas rather than my own, I quickly found my freshest thoughts blending into a kind of generalized banality, a dollar-green cookie dough. Quantity there was, but the lack of a personal moral framework and the impossibility of being negative took quality off the agenda.

In sharp contrast, Let Everyone Have Ideas starts out:

[T]hey focus on an internal market where any employee can propose that the company acquire a new technology, enter a new business or make an efficiency improvement. These proposals become stocks, complete with ticker symbols, discussion lists and e-mail alerts. Employees buy or sell the stocks, and prices change to reflect the sentiments of the company’s engineers, computer scientists and project managers — as well as its marketers, accountants and even the receptionist.

The question of how to go from a stream of ideas to selecting and executing on the right ideas is a fascinating one. Serving your existing customers, by focusing on compatibility issues and gradual improvement, prevents you from making some leaps that a company with a smaller customer base can make. This is one of the reasons startups can bring new things to market quickly. (Clayton Christensen talks about this in The Innovator’s Dilemma.)

Let Everyone Have Ideas focuses not only on how to select ideas, but a way to execute on them, which is to turn effort and evangelism into shares on that internal market, so that if ideas pay off, when they do, those who backed them can get an ROI. Fascinating.

(Einstein blackboard from Hetemeel’s Dynamic Images page.)

Security and Usability

security-usability.jpgSimson Garfinkel sent me a copy of “Security and Usability: Designing Secure Systems that People Can Use,” which he co-edited with Lorrie Faith Cranor. [Updated spelling of Lorrie’s name. Sorry!] I was really hesitant when I got it because I tend to hate collections of academic papers. They’re often hard to read, heavily redundant, and jargon filled. This book isn’t, and my copy is already dog-eared, and filled with turned-down pages. It is chock full of useful advice, interesting stories, great references, and useful lessons learned. If you build security software, or software with security implications, you should buy this book.

Once you’ve bought it, it may help to skim the first few chapters, which set the scene, and do contain a fair bit of redundancy, probably unavoidably. If you get bogged down, skip forward, there’s lots of great stuff.

I think this is my favorite excerpt:

We studied eight subjects’ experiences enrolling in the wireless PKI. Our subjects were sophisticated computer users, typically holding Ph.D.s in Computer Science. Despite using the GUI-based interface for enrollment and configuration of their machines, the process involved a total of 38 distinct steps.

Each of these presented an opportunity for end users to make frustrating mistakes. The average time that it took them to request and retrieve their certificate and then configure their system was 140 minutes. Almost all of the subjects printed the instructions, and even those determined to understand what they were doing soon began following the instructions mechanically. In the end, many test subjects described enrollment as the most difficult computer task that PARC had ever asked them to do. All subjects had little idea of precisely what they had done to their computers. Several commented that if something were to go wrong, they could not perform even basic troubleshooting. For several subjects, this was the first time that they had ever experienced the inability to administer their own machines. Ironically, while PKI technology may have secured their machines for wireless use, it simultaneously reduced these end users’ ability to configure and maintain their own machines. (From chapter 16, “Making the Impossible Easy: Usable PKI,” by Dirk Balfanz, Glenn Durfee, and D.K. Smetters.)