JonHoyle.com Mirror of MacCompanion
http://www.maccompanion.com/macc/archives/August2009/Books/mythsofsecurity.htm
macCompanion MyAppleSpace Forum Archives Products Services About Us FAQs

Resources

                                           

Consultants

Developers

Devotees

Downloads

"Foreign" Macs

Forums

Hearsay

Link Lists

Mac 3D

Macazines

Mac Jobs

MUG Shots

News

Radio

Reviews

Think Different

Training

 

the myths of security: what the computer security industry doesn't want you to know

Reviewed by Robert L Pritchett

Author: John Viega

O'Reilly

Released: June 29, 2009

Pages: 260

$0 USD, $8 CND

ISBN: 9780596523022

 

Strengths: A compilation of unvarnished opinion-pieces regarding computer security topics.

 

Weaknesses: Much of the information is rather superficially discussed.

Broadcast

Introduction

 

"If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue. Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:

 

  • Why it's easier for bad guys to "own" your computer than you think.
  • Why anti-virus software doesn't work well -- and one simple way to fix it.
  • Whether Apple OS X is more secure than Windows.
  • What Windows needs to do better.
  • How to make strong authentication pervasive.
  • Why patch management is so bad.
  • Whether there's anything you can do about identity theft.
  • Five easy steps for fixing application security.

 

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online."

 

What I Learned

 

The book reads like screenscrapes from a Blog. The author could not have written it without having left McAfee, but they hired him back anyway. And by the way, he does use a Mac. I love his subtle comparisons between platforms. And he did dedicate one chapter, oh so briefly, regarding Apple security. Some of his chapters are one-pagers.

 

Take the book as a gauntlet thrown down at the feet of the multi-trillion-dollar per year computer security business. John Viega describes the security emperor as not having any clothes – and then describes ways and means of how to dress him/her.

 

The book isn't so much an overview and "tell all" as it is an action book describing what can/will be done from an "insider". The fact that he switched platforms speaks volumes.

 

He has put into words the way many feel about computer security technologies, whether they are "Crap-CHAs", Personal Firewalls, Anti-Virus packages or improving authentication processes (he doesn’t much care for signatures and certificates either), nor does he have any kind words regarding VPNs. And he has a special dislike for HTTPS. He certainly has no love for computer security programming books that are outdated and decades old.

 

He does, however provide some direction regarding technologies he is personally involved with and will be revealed sometime on the near future – less invasive and fewer keystrokes.

 

The book reads like a smorgasborg of a little here, a little there, for a full plate of a bit of everything on computer security. The book has an Index, but no Reference section and get this, no web links, except in precious few places.

The publisher of the book apparently asked him to include the female gender in the text, so there are some funny lines with gals being called guys in sentences with "her/she" instead of him/he".

 

I found most intriguing, his discussion regarding "Responsible Disclosures" by software manufacturers and those who would capitalize on their vulnerabilities and security update processes.

 

Conclusion

 

Buy the book if you want to get a better idea of the current situation, regarding the computer security industry – and maybe get a glimpse of what may appear in the near future. It is a call to action for the industry.

 

Don't buy the book, if you are looking for in-depth and annotated documentation on computer security and protocols.