Security

Five good security reads

Check out a list of five security related books Chad Perrin has read in the past year that he thinks you should read, too.

Today marks the one-year anniversary of my first article in TechRepublic's IT Security Weblog. One year ago, on 17 July 2007, I wrote 5 steps to becoming the local security guru. This year, I have another five-item list for you -- a list of security related books I have read that you should probably read, too.

Novels

The first part of the list is of novels I have read in the last year that have a strong IT security focus, are well written, and can teach the security interested IT professional something about security. If you haven't read them yet, they should definitely be on your reading list.

They're listed in the order I read them, which is conveniently also alphabetical order.

Cryptonomicon

This Neal Stephenson novel is a trifle unique in that it is actually two tales, each with its own plot, in one. The narrative switches between these tales regularly, one set during World War II, the other in the modern world. Specific modern technologies are often fictionalized (e.g. Finux, a thinly veiled reference to Linux, and Ordo, an encryption system that doesn't exist in the real world but very well could), while more general technologies (e.g. cryptographic technologies in general) are entirely real.

The story introduces the reader to concepts that, for most of us, may be new. It ends up being kind of accidentally educational in that respect, presenting ideas about cryptographic currencies, principles of cryptographic technology, and some of the history of modern computing and modern cryptography in forms easily digestible for the technically inclined reader. It even presents a rather unique demonstration of basic cryptographic principles in action in the form of the Solitaire cipher, a cryptographic system invented by Bruce Schneier specifically for Cryptonomicon that can be employed without a computer, via a normal deck of playing cards. It's not a trivial, toy cryptographic system, however: it is meant to be a form of strong cryptography and, in fact, when Cryptonomicon was published with the Solitaire cipher algorithm printed within its pages in the form of a Perl script, saving that script in a file on a computer in the US and emailing it to someone in another country would have violated US munitions export laws because it qualifies as "strong encryption".

Halting State

Probably the least directly educational of the three, this novel by Charles Stross is most interesting for its speculations on virtual currencies, virtual realities in meatspace, cyber-terrorism, and the social implications of all of the above. The primary characters are involved in the investigation of what starts out looking like the "robbery" of a virtual bank in a near-future MMORPG, but quickly spins out of control as they discover that all is not as it at first seems.

It is written primarily in the second person, reminiscent of old text based adventure games, which I found a little difficult to get into at first -- especially with the switching between perspective characters in different chapters. It's an engrossing tale, with a well constructed plot, however.

Little Brother

Cory Doctorow set out to write this novel for "young adults" (i.e. teenagers), with an intentionally educational thread throughout. The main character, a high school student with a perhaps more than healthy interest in learning what others don't want him to know (and using that knowledge), is a hacker in the original sense who, written in the first person perspective, spends a fair bit of time explaining matters of IT security to the reader.

Little Brother is probably the best-written work of fiction that doubles as an educational text I have ever read, in part because it presents basic concepts within the context of the story and encourages the reader to pursue further knowledge on his or her own. If you read the entire novel and don't find yourself inspired to read more on the subjects and concepts presented, you may just not be cut out to be a technologist at all. It's the kind of book I wish I had in my hands when I was thirteen -- but even now, about two decades older, it was a thoroughly enjoyable and inspiring read.

The plot surrounds the events following a terrorist attack on the Bay Bridge in San Francisco, in a future so near it was quite a while before I was sure it wasn't written to basically take place in the present. Politically, it looks like it may take place around 2011 some time, though it is flexible enough that it might believably take place any time in the next decade. The technologies are essentially the technologies we know today, with a few specific additions that could well arise in the next few years.

Like usual, Doctorow's challenges to the dominant paradigm go beyond the content of his fiction: this novel is not only available at bookstores and libraries, but also as a free download under the terms of a Creative Commons license. If you like reading full-length novels in digital file formats, you can get it there as a plain text, PDF, or HTML formatted file. I personally prefer having a physical book in my hands, so that's the form of the novel I read. For a more personal take on Little Brother, check out my brief review in my personal Weblog.

Related reading

The second part of the list is works that aren't novels -- in one case, a book-length essay on the development of operating systems, and in the other a collection of short stories.

In the Beginning was the Command Line

People who enjoy Cryptonomicon may also want to read Stephenson's In the Beginning was the Command Line, a lengthy essay examining the history of operating systems. It was written in the late 1990s, and is a little dated now, but the lessons it conveys are no less valuable. While it doesn't directly address security, it does provide some insights into the design philosophies and necessities of operating systems, the collective mindset of their users, and other matters that provide a basis for understanding the security characteristics of systems incorporating various OSes and real-life end users. It has been published as a short book, but is also available for download as a Mac Stuffit or Zip compressed plain text file, free of charge. Among the rest of the works in this list, this is the only one I read for the first time before 17 July 2007. I have read it several times, however, the most recent being a few months ago. It's not only worth reading once -- it's worth revisiting.

Overclocked: Stores of the Future Present

Doctorow's Overclocked: Stories of the Future Present is a collection of short stories by the author of Little Brother. Many of them, individually, seem tailor-made to challenge the comfortable preconceptions of the modern technologist, illustrating in science fiction prose the possible consequences of contemporary technology policy. Like Little Brother, and most if not all the rest of Doctorow's fiction, it is available as a free download as well as in dead-tree hardcopy editions.

Recommendations

If you're a technology enthusiast, and there's anything in the above list of works that you haven't read, you should rectify that oversight soon. They're all well written, informative, and often inspiring. Three of them are even available for free online, so the excuses for failing to read them lie somewhere between slim and none.

You probably shouldn't read Little Brother all in one sitting like I did, though, unless you just don't have anything else to do that day.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

14 comments
seanferd
seanferd

I've only read three item out of everything you've listed, and only one story from Overclocked at that. I'll be appreciating that list, thanks.

Sterling chip Camden
Sterling chip Camden

RE: "Halting state" written in 2nd person -- that's quite unusual for literature. Expanding "you are in a maze of twisty little passages, all alike" into a complete story would be quite an achievement. I may have to read it simply to satisfy my curiosity on that point alone.

apotheon
apotheon

I have some questions for my readers: 1. It has been a year, today. How am I doing? What would you like to see more of? 2. What security-related reading would [b]you[/b] recommend?

apotheon
apotheon

. . . let me know how that's working out for you. I personally find switching between perspective characters, all of them presented in second person, kinda jarring. I eventually got over it, for the most part, though.

Sterling chip Camden
Sterling chip Camden

I didn't read IT Security much before they signed you on. That, and because you're my personal friend from before then, may bias my opinion. But I think you're doing a damn fine job. I've learned a lot from this publication over the last year. I agree with jdclyde that an index somewhere of links to all of your online writings would be great -- I seem to remember you started that somewhere, but I can't remember where.

jdclyde
jdclyde

would be ease of finding and re-finding your work. A page that has a list of all works would be a good start. I admit to mostly ignoring the emails that go out since the format changes over the last few years. I have always found your papers to be informative, [b]when I see them.[/b] Topics of interest for me, as far as security? Identify and remove rootkits, malware, virus/..... Are you a bot? Fighting the botnet. Identify a compromised linux box. Secure systems, from Win2k to Vista, as well as how to secure a linux server/desktop. Identify processes running. What is using CPU/RAM? What is hiding? Examples of how to setup network monitors. Identify traffic. How much, where it is going, where it came from, what type of traffic. Most sniffers are almost useless because of the overload of data in an unusable format.

Sterling chip Camden
Sterling chip Camden

... to reading a book written entirely in Yoda word-order. After a while, accustomed you would become. Heck, after a while I even got used to reading the Egyptian Book of the Dead in hieroglyphics without resorting to translation (much).

apotheon
apotheon

See my response to jdclyde for information on listings of my work. Thanks for the compliments. Maybe I'm biased, but I tend to think your opinion is definitely worth respect -- so the fact you have a high opinion of my writing really makes me feel good about my efforts.

apotheon
apotheon

I have lists of my work, that I maintain off-TR. First, there's the general works page, my [url=http://sob.apotheon.org/?page_id=7][b]online publication credits[/b][/url] listing. Note that this isn't always completely up to date (for instance, I haven't added this article to the list yet), but I try to make sure it doesn't ever get more than a week behind, and I usually updated it within a day or two of a new article here. Then, there's my [url=http://apotheon.com/pub/][b]articles listing for TR's IT Security Weblog[/b][/url]. I also write a lot of other stuff at [url=http://sob.apotheon.org][b]SOB[/b][/url], my personal Weblog, too. Hope that helps. I'll keep your list of desired topics in mind in the future. Thanks for the suggestions, and the compliments.

apotheon
apotheon

I found the Chad Perrin tag by checking the tags assigned to one of my articles. Just go to the article page and look for "Tags" under the title of the article. The author's name should be one of them.

jdclyde
jdclyde

I haven't seen how to do that since two "upgrades" ago.

apotheon
apotheon

[url=http://search.techrepublic.com.com/search/Chad+Perrin.html]my tag[/url] I don't much like the interface, though. I'm considering some updates to the way I maintain my list of IT Security articles -- something to automate the process, so it'll be up-to-date, and something else to include the takeaways along with the titles. With all the other stuff on my plate right now, though, I don't expect to get around to that any time soon.

jdclyde
jdclyde

is a new category of TAGS. A tag for each blogger.