Writing a Book – Adam Shostack & friends

"Pirate my books, please"

Science fiction author Walter John Williams wants to get his out of print work online so you can read it:

To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist countries. So I downloaded my own work from thence with the intention of saving the work of scanning my books— I figured I’d let the pirates do the work, and steal from them. While this seemed karmically sound, there proved a couple problems.

A few weeks back, Dave Birch asked me if I’d publish my next book myself. I don’t think I would. I’m really happy with Karen Gettman and Jessica Goldstein at Addison Wesley, and I’ve convinced my co-authors for my next book that we should have a discussion about publishers.

So why am I happy with them, and what can you learn from that?

First, let me scope this by saying the New School is what they call a “big idea” book. This is in contrast to a lot of books in technology, which are, well, technology specific. The New School is a tech book, but it’s not a tech book in the way that “Mastering Office 97” or “Teach yourself Haskel in 28 Days” are tech books.

Books like that are usually on a hard schedule. You need to get them done as the software ships. No one wants a copy of “Mastering Office 97” anymore. If you get them done too soon, they don’t reflect the final program. Anyone writing such a book gets a lot more pressure than we did. (Jessica called me one day and said “you know, if you guys finally finish, we can release at RSA and your sales will be higher.”)

That advice “do this and your sales will be higher” is tremendously useful to any author not named “Rowling,” “King” or “Clancy.” However well an author may understand their audience, there are trends in publishing, and understanding those trends is far easier for a publisher who has people monitoring their sales and those of competitors.

When we were getting started, we wanted to write a book for executives, and call it “Security Decisions.” Several publishers rejected that proposal, because ‘executives don’t read,’ and if you look at Amazon SalesRank for a book on managing security that you like, you’ll see that that’s roughly borne out. (Yes, SalesRank is a bad indicator, but an easy one to use.) So we got effective market advice from our publisher.

The next thing authors get is financial support, either in the obvious form of an advance, or in that the publisher pays for printing, binding, warehousing and distribution in advance.

The final thing you get from a major publisher is channels, both domestic and international. I’ve seen the New School in Borders and Barnes and Noble. When there are trade events, my book tends to magically show up at the show bookstore, and I don’t have to do anything. Addison Wesley makes that happen without any effort from me. Cory Doctorow speaks out “In Praise of the Sales Force.”

Of course, for all of this, they extract a fee of about 80-90% of the sale price of the book. (See Mary Shaw and Tim O’Reilly for a breakdown.) That would make it hard to earn a living on the sales of technical books. If I werre writing to earn a living, I might choose differently. Then again, I said “if I were writing,” not “if I were selling books for a living.”

As an aside, in “Why There’s no Tip Jar” Charlie Stross writes, “If I put a Paypal tipjar on this blog, to take conscience money from folks who’ve downloaded a (cough) unauthorized ebook or two, the money would come to me, not to the publisher. And without the publisher those books wouldn’t exist: wouldn’t have been commissioned, wouldn’t have been edited, wouldn’t have been corrected and marketed and sold in whatever form filtered onto the unauthorized ebook market.”

If you still want to self-publish, check out 6 Ways to Publish Your Own Book. Otherwise, any good publisher will have a set of resources up for authors. Pearson’s is here.

[Update: and they copyedit & proofread your words!]

This Is Not Writing; You Are Not Reading

The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets.

I’ll get right to the point before I start ridiculing the ridiculous, and answer the question. No. Of course not. It’s not really reading. This is not text. It is not the product of hot lead type lovingly smearing a mix of kerosene and soot over wood pulp. It’s a bunch of pixels, and those pixels are whispering directly into your brain. You are not reading, you’re hearing my snarky voice directly massaging your neurons. That doesn’t happen when you read. People don’t see things or hear things when they read. Ask Anne Fadiman if you don’t believe me. She knows.

Let’s look at some of the statements in the article:

Few who believe in the potential of the Web deny the value of books. But they argue that it is unrealistic to expect all children to read “To Kill a Mockingbird??? or “Pride and Prejudice??? for fun.

It is unrealistic to expect any children to read Austen. Austen is arguably the second best writer in all of English, but she requires emotional experiences that children do not have. Pride and Prejudice is no more children’s reading than 1984 is. Trust me on this, I know. I read 1984 when I was ten, and when I re-read it in college, I was gobsmacked to learn that there is sex in it.

Some traditionalists warn that digital reading is the intellectual equivalent of empty calories. Often, they argue, writers on the Internet employ a cryptic argot that vexes teachers and parents. Zigzagging through a cornucopia of words, pictures, video and sounds, they say, distracts more than strengthens readers.

They said pretty much the same about Dickens. Until relatively recently, no serious scholar of literature (read college professor) would admit to reading Dickens. Personally, I agree. These days he’s considered a classic, and the non-serious scholars won’t admit to reading him.

Last fall the National Endowment for the Arts issued a sobering report linking flat or declining national reading test scores among teenagers with the slump in the proportion of adolescents who said they read for fun.

And of course we can fix this by denigrating what they do read, as opposed to finding things for them worth reading.

“Whatever the benefits of newer electronic media,??? Dana Gioia, the chairman of the N.E.A., wrote in the report’s introduction, “they provide no measurable substitute for the intellectual and personal development initiated and sustained by frequent reading.???

I’ll do my part. I resolve to start writing my blog posts, okay? Do you want them in printing or copperplate?

[Synopsis: Nadia’s mother tries to instill a love of books in Nadia. Nadia does not respond until they get a computer, when Nadia gives up TV for fanfic.]

Now [Nadia] regularly reads stories that run as long as 45 Web pages. Many of them have elliptical plots and are sprinkled with spelling and grammatical errors.

Which the masters of modern literature such as Pynchon and Joyce would never do. Austen never had elliptical plots, they were circular, and she was merely eccentric.

Nadia said she wanted to major in English at college and someday hopes to be published. She does not see a problem with reading few books. “No one’s ever said you should read more books to get into college,??? she said.

And this is a problem?

Reading skills are also valued by employers. A 2006 survey by the Conference Board, which conducts research for business leaders, found that nearly 90 percent of employers rated “reading comprehension??? as “very important??? for workers with bachelor’s degrees.

I don’t know about you, but I wonder what sort of people the 10+% of employers are who think that reading comprehension is not very important. What sort of Dilbert-refugees are they? I find that “nearly 90%” to be disturbing.

Some literacy experts say that reading itself should be redefined. Interpreting videos or pictures, they say, may be as important a skill as analyzing a novel or a poem.

Ah, the word “may.” I’ve ranted about it before. It is true that interpreting pictures may be as important as analyzing a novel. It certainly is if you want to appreciate El Greco. But that’s not the point. As much as I like sneering at moderns who think Dickens is literature, times change. It may, indeed. Joyce may have written grammatically. Austen may be suitable for children. Reading comprehension may be important for workers with bachelor’s degrees. And Shakespeare’s works may have been written by another man of the same name.

I am disdainful of hot media, but the Web is the rennaissance of cold media. It’s an aberration in a slide to hotter and hotter media. Also realize that cold media is relatively recent. Most of human history had its literature in songs and pantomime.

Lastly, remember that kids have been no damned good for as long as we’ve been writing at all. The pinnacle of civilization was when we were in the caves, and it’s been a long slow slide into perdition ever since. Every generation is worse than the previous one. It will continue to be that way. These kids are going to sigh with exasperation and not understand why their kids roll their eyes at Sailor Moon. And they just not going to understand the true art form of fanfic and slashfic. Tsk.

Writing a book: The Proposal

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you’d like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn’t about how to come up with the idea, it’s about how to sell it.

In a mature market, like the book market, you need some way to convince the publisher that thousands of people will buy your book. Some common ways to do this are to be the first or most comprehensive book on some new technology. You can be the easiest to understand. You can try to become the standard textbook. The big problem with our first proposal was that we wanted to write a book on how managers should make security decisions.

That book didn’t get sold. We might rail against the injustice, or we might accept that publishers know their business better than we do.
Problems with the idea include that there aren’t a whole lot of people who manage security, and managers don’t read a lot of books. (Or so we were told by several publishers.) We didn’t identify a large enough market.

So a proposal for a new book has to do two main things: first identify a market niche that your idea will sell, and second, convince the publisher that you can write. You do that with an outline and a sample chapter. Those are the core bits of a proposal. There are other things, and most publishers have web sites like Addison Wesley’s Write for us or Writing For O’Reilly. Think of each of these as a reason for some mean editor who doesn’t understand you to disqualify your book, and make sure you don’t give them that reason.

With our first proposal, we gave them that reason. Fortunately, both Jessica Goldstein (Addison Wesley) and Carol Long (Wiley) gave us really clear reasons for not wanting our book. We listened, and put some lipstick on our pig of a proposal.

Funny thing is, that lipstick changed our thinking about the book and how we wrote it. For the better.

Writing a book: technical tools & collaboration

When Andrew and I started writing The New School, we both lived in Atlanta, only a few miles apart. We regularly met for beer or coffee to review drafts. After I moved to Seattle, our working process changed a lot. I wanted to talk both about the tools we used, and our writing process.

We started with text editors and a subversion repository. Andrew, I think, used TextEdit, and I used emacs. This didn’t work very well, and we regularly lost check-in discipline. We also realized that we both wanted to be able to use headings, italics, and other tools that aren’t easy in text.

So we moved to LaTex. LaTex is a very powerful, slightly twitchy page description system that scientists use. We wrote the draft chapters we used to sell the book in LaTex, along with the proposal. We really like those drafts, and there’s a good deal which survived, and even more that’s gone. We marked up those chapters in person, which became a lot harder when I took a job in Seattle.

As we tried to work in LaTex, we ran into the same collaboration troubles that Baron Schwartz talked about in “What is it like to write a technical book?“* Lists of comments just didn’t cut it. We needed something more powerful.

Now, there’s a few publishers left who take three formats: LaTeX, Word, and camera-ready. (As I understand it, most only take Word.) So our choice of formats controlled our choice of software. My experience with OpenOffice is that it didn’t produce perfect Office docs. We didn’t want to take a risk that we’d be stuck in a format war with AW. So we moved to Office 2004 for the Mac, and it worked pretty well for writing and revising. Ironically, I was the one who resisted Word most strongly. I’m a real fan of simple file formats that you can read with various tools. We used iChat’s voice chat feature to talk through things, and Andrew flew up to Seattle once for a grueling-long weekend of editing.

That worked pretty well until we hit technical reviews and production. Technical reviews involved sending out the draft to a bunch of people, who then commented on it, usually using Word’s comment feature. I aggregated all those into one file, and started editing it. When we did, we ran into performance problems. A 20 page doc with 300-400 comments and edits was slow.

Fortunately, assimilation has its privileges. I was able to get us into the Office 2008 beta program, which ran almost flawlessly for us. We did the final production edits with Office 2008, ichat and one other key tool: my Brother HL5140 printer. It was a workhorse, and the huge stacks of paper that I worked with all came out of a single cartridge.

*I think that’s the right URL. He has some silly anti-spam software that can’t tell the difference between GET and POST and complains about not having a referer: header on GET.

How much work is writing a book?

There’s a great (long) post by Baron Schwartz, “What is it like to write a technical book?” by the lead author of “High Performance MySQL.” There’s a lot of great content about the process and all the but I wanted to respond to this one bit:

I can’t tell you how many times I asked people at O’Reilly to help me understand what would be involved in writing this book. (This is why I’m writing this for you now — in case no one will tell you, either). You would have thought these folks had never helped anyone write a book and had no idea themselves what it entailed. As a result, I had no way to know what was realistic, and of course the schedule was a death march. The deadlines slipped, and slipped and slipped. To November, then December, then February — and ultimately far beyond. Each time the editor told me he thought we were on track to make the schedule. Remember, I didn’t know whether to believe this or not. The amount of work involved shocked me time after time — I thought I saw the light at the end of the tunnel and then discovered it was much farther away than I thought.

I think this is somewhat unfair to the O’Reilly folks, and wanted to comment. Baron obviously put a huge amount of effort into the work, but O’Reilly has no way of knowing that will happen. They run a gamut in second editions from “update the references and commands to the latest revision of the software” to “complete re-write.” Both are legitimate ways to approach it. It could take three months, it could take a few years. O’Reilly can’t know in advance. (Our publisher has told me horror stories about books and what it’s taken to get them out.)

So O’Reilly probably figures that there’s a law of diminishing returns, and pushes an insane schedule as a way of forcing their authors to write what matters and ignore the rest.

So it’s not like a baby that’s gonna take 9 months.

Andrew and I opened the New School of Information Security with a quote from Mark Twain which I think is very relevant: “I didn’t have time to write you a short letter, so I wrote you a long one instead.”

We took our time to write a short book, and Jessica and Karen at Addison-Wesley were great. We went through 2 job changes, a cross-country move, and a whole lot of other stuff in the process. Because we were not technology specific, we had the luxury of time until about December 1st, when Jessica said “hey, if you guys want to be ready for RSA, we need to finish.” From there, it was a little crazy, although not so crazy that we couldn’t hit the deadlines. The biggest pain was our copy-edit. We’d taken the time to copy-edit, and there were too many changes to review them all. If we’d had more time, I would have pushed back and said “reject all, and do it again.”

So there’s no way a publisher can know how long a book will take a new set of authors, because a great deal of the work that Baron Schwartz and co-authors did was their choice.

More New School Reviews

Gary McGraw says buy it for the cover:

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book. (Gary McGraw)

while Ben Rothke says buy it for what’s in between:

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

…
Let’s hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.
(Ben Rothke’s review on Slashdot)

Thanks very much for the awesome review, Ben!

The Principal-Agent Problem in Security

There’s a fascinating article in the New York Times, “At Bear Stearns, Meet the New Boss.” What makes it fascinating is the human emotion displayed:

“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”

The packed room of senior managing directors applauded.

Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”

But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.

Now, there’s an easy slam on that exec, but I’d like to do better than that. There’s a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He’s worried about how he’s going to pay for his kid’s education or his next vacation. (There’s more excellent analysis in Jeffrey Lipshaw’s “Exuberant Bulls, Rueful Bears, and Rational Frogs”

People’s concerns, first and foremost, are for themselves.

People who work in security are often deeply concerned with security, because it’s the thing that makes or breaks their careers. They’re focused on the impact of security on them, as well as their business. So sometimes they make choices which aren’t perfect for the business, but take their perspectives into account. It’s only human.

Nick Owen talks a bit about the motives of security chiefs in “On the short tenure of CISOs and low-frequency, high-impact events.” (Damnit, Nick, I should have seen that. Now you’re banned from the prom.) ((Which is yet another instance of a principal-agent problem. I’d like to appear smarter and more insightful than Nick, so I have to ensure I don’t link to him.))

Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn’t have time to sell. How does she know that he’s not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people’s motives are well aligned with that of the business and it’s shareholders?

Nick Szabo has some interesting points about “representation distances” in a political analysis of principal agent problems. I’m surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.

First in-depth review

Andre Gironda writes “Implications of The New School:”

Additionally, the authors immediately begin the book with how they are going to write it — how they don’t reference anything in great detail, but that the endnotes should suffice. This also put me off a bit… that is — until I got to the endnotes! Certainly from the beginning to the end of the book I was also kept in a state of constant interest thanks to the excellent writing. Even if you have read all of their past work, this book is certainly worth a read or two or three, maybe even quarterly.

He has a lot of detail in his review, while I’m just quoting the intro, blown away and grateful that someone would suggest reading it quarterly.

Thanks Andre!

More New School feedback

Our editor says that the Safari e-book edition of The New School is now available. Hardcopies should be out in a week or so.

Jon Pincus gives us a mention in his long article “Indeed! The Economist on “computer science as a social science”” and comments that we “explicitly include discussions of diversity in the social science sense.” (As he discusses, Jon has long been focused on computer science as a social science, and he gave us some great help in improving the diversity section.

Nick Owen thinks he won’t be invited to the prom in the New School, but he’s wrong. He turned me on to Bennett Stewart’s work, which influenced how we talk about ROI.

KJW/Code likes the first chapter. Decius on Memstreams says that our editorial blurb “makes a lot of bold claims without explaining how those claims are met. I eagerly await further reviews and shorter articles written by the authors to promote their book…”

Also, a couple of people emailed me asking for a table of contents and more sample content. Here’s the table of contents, and yes, Decius, there will be more that we’ll release over the next little while. We have a first couple of interviews lined up, and are eager to get the ideas out there in forms which are easy to digest.

1. OBSERVING THE WORLD AND ASKING WHY

Spam, and Other Problems with Email 4
Hostile Code 7
Security Breaches 9
Identity and the Theft of Identity 11
Should We Just Start Over? 14
The Need for a New School 15

2. THE SECURITY INDUSTRY

Where the Security Industry Comes From 19
Orientations and Framing 25
What Does the Security Industry Sell? 27
How Security Is Sold 33

3. ON EVIDENCE

The Trouble with Surveys 46
The Trade Press 50
Vulnerabilities 52
Instrumentation on the Internet 54
Organizations and Companies with Data 55

4. THE RISE OF THE SECURITY BREACH

How Do Companies Lose Data? 64
Disclose Breaches 68
Possible Criticisms of Breach Data 70
Moving from Art to Science 74
Get Involved 76

5. AMATEURS STUDY CRYPTOGRAPHY;
PROFESSIONALS STUDY ECONOMICS

The Economics of Information Security 82
Psychology 95
Sociology 99

6. SPENDING

Reasons to Spend on Security Today 106
Non-Reasons to Spend on Security 110
Emerging Reasons to Spend 112
How Much Should a Business
Spend on Security? 116
The Psychology of Spending 122
On What to Spend 126

7. LIFE IN THE NEW SCHOOL

People Are People 132
Breach Data Is Not Actuarial Data 136
Powerful Externalities 137
The Human Computer Interface and
Risk Compensation 139
The Use and Abuse of Language 142
Skills Shortages, Organizational
Structure, and Collaboration 144

8. A CALL TO ACTION

Join the New School 149
Embrace the New School 153
Make Money from the New School 157
Final Words 159

ENDNOTES 161

BIBLIOGRAPHY 213

INDEX 229

Category: Writing a Book