My Book reviews /

The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

Title The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
Authors John Viega
Publisher O'Reilly Media
Date 2009-06-26
Pages 264
ISBN 0596523025

This is a great book for either security specialist or a general computer user. For the former the book gives lots of criticism for the awful state of todayтАЩs security, for the latter the book identifies traps which users are likely to fall into and provides help in avoiding them. The bookтАЩs biggest achievement is the breadth with which it considers various aspects of security: from anti-virus programs to secure shopping to secure hardware platforms and identifies possible improvements.

The book consists of many small chapters but the gloabl picture is easily visible. Based on his experience as a leading industry security expert, the author makes a proposal on how to improve the state of security. This is call for action for everybody who wants to avoid global security crisis.

The book starts with mentioning Randy Pausch тАУ a professor who was smashing VCRs because of their bad user interfaces. According to the author, most of what security companies have to offer is worth smashing as well. The author says that security companies are responsible for security being treated as inevitable evil that would slow down your computer and print out lots of false alarms.

He explains in greater detail how an anti-virus works. The companies spend most of their time analysing virus samples and writing signatures. This is a tedious process and the value of this intellectual property is rather minimal. The author calls for better cooperation among security companies. Each company has its own signature format. On the Web everybody is using XML to facilitate interoperability. Why cannot the companies agree on a similar signature format?

The author analyses an opposite method of protection which is behavior-based methods. They do not work in the current environment because of false positives. For example, if a program writes garbage to disk it is possible that it decrypts something. Viruses and media players do this alike, their behavior is the same. The author proposes a solution to this problem. In order to decrease the rate of false positives each program needs to get signed. A signature is verified in a repository of good programs. The problem is that users are not cooperating in creating such directories of programs that are verified. If such directories existed then behavior-based anti-virus suite would not raise an alarm for any trusted application.

Therefore, the author believes that the solution to our problems is in a collaborative approach to security or an approach that involves a trusted authority. One real example of a successful implementation of this idea is SiteAdvisor тАУ a program that runs as a plugin in Firefox and checks every web site a user visits against a database of good/bad sites. The rating of a web site depends on analysis that security experts performed earlier but I guess it is possible to use crowed intelligence as well.

Are the companies spending their money wisely? The economics of security is another issue that the author analyses. His conclusion is that 1 billion dollars that Microsoft spent on imrpoving the security of Vista operating system are spent wrongly. One reason is that the author says security training of developers is not worth spending money on because people will forget everything in a couple of months. Instead, give money to the specialized security audit companies whose employees are doing security work for living. Even though their rates are quite high and reach as much as 75 cents per line of code it would cost less than 1 billion to audit Windows.

Finally, the author challenges the state of security in our society. For example, everybody is very concerned with identity theft. But there are so many interesting documents ending up in your garbage that any potential attacker would rather look into your garbage can than attempt to get into your computer.

The state of secure Web is also challenged. The author claims that man-in-the middle attacks are efficient. He says that people are ignoring expired SSL certificates or those issued by a dubious authority. The author calls for a mutual authentication when not only you know that you are talking to a legitimate web site but the site knows who it is talking to as well.

The author blames academia for re-inventing things that industry has been using for a while. He calls for better cooperation between industry and academia.

This book reminds me of a security book of Ross Anderson. However, this book is much more ciritcal and focused on identifying the vulnerabilities and proposing how to fix them. Despite its criticism the book is written with a great wish for a better state of security.