the myths of security: what the computer security industry
doesn't want you to know
Reviewed by Robert L Pritchett
![](mythsofsecurity_files/image003.png)
Author: John Viega
O'Reilly
Released: June 29,
2009
Pages: 260
$0 USD, $8 CND
ISBN: 9780596523022
Strengths: A
compilation of unvarnished opinion-pieces regarding computer security topics.
Weaknesses: Much
of the information is rather superficially discussed.
Broadcast |
![](mythsofsecurity_files/image006.png)
![](mythsofsecurity_files/image007.jpg)
|
Introduction
"If you think computer
security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime
security professional John Viega, formerly Chief Security Architect at McAfee,
reports on the sorry state of the industry, and offers concrete suggestions for
professionals and individuals confronting the issue. Why is security so bad?
With many more people online than just a few years ago, there are more
attackers -- and they're truly motivated. Attacks are sophisticated, subtle,
and harder to detect than ever. But, as Viega notes, few people take the time
to understand the situation and protect themselves accordingly. This book tells
you:
- Why
it's easier for bad guys to "own" your computer than you think.
- Why
anti-virus software doesn't work well -- and one simple way to fix it.
- Whether
Apple OS X is more secure than Windows.
- What
Windows needs to do better.
- How
to make strong authentication pervasive.
- Why
patch management is so bad.
- Whether
there's anything you can do about identity theft.
- Five
easy steps for fixing application security.
Provocative, insightful, and always
controversial, The Myths of Security not
only addresses IT professionals who deal with security issues, but also speaks
to Mac and PC users who spend time online."
What I Learned
The book reads like screenscrapes from a Blog. The author
could not have written it without having left McAfee, but they hired him back
anyway. And by the way, he does use a Mac. I love his subtle comparisons
between platforms. And he did dedicate one chapter, oh so briefly, regarding
Apple security. Some of his chapters are one-pagers.
Take the book as a gauntlet thrown down at the feet of the
multi-trillion-dollar per year computer security business. John Viega describes
the security emperor as not having any clothes – and then describes ways
and means of how to dress him/her.
The book isn't so much an overview and "tell all"
as it is an action book describing what can/will be done from an
"insider". The fact that he switched platforms speaks volumes.
He has put into words the way many feel about computer security
technologies, whether they are "Crap-CHAs", Personal Firewalls,
Anti-Virus packages or improving authentication processes (he doesn’t much care
for signatures and certificates either), nor does he have any kind words
regarding VPNs. And he has a special dislike for HTTPS. He certainly has no
love for computer security programming books that are outdated and decades old.
He does, however provide some direction regarding
technologies he is personally involved with and will be revealed sometime on
the near future – less invasive and fewer keystrokes.
The book reads like a smorgasborg of a little here, a little
there, for a full plate of a bit of everything on computer security. The book
has an Index, but no Reference section and get this, no web links, except in
precious few places.
The publisher of the book apparently asked him to include
the female gender in the text, so there are some funny lines with gals being
called guys in sentences with "her/she" instead of him/he".
I found most intriguing, his discussion regarding
"Responsible Disclosures" by software manufacturers and those who
would capitalize on their vulnerabilities and security update processes.
Conclusion
Buy the book if you want to get a better idea of the current
situation, regarding the computer security industry – and maybe get a
glimpse of what may appear in the near future. It is a call to action for the
industry.
Don't buy the book, if you are looking for in-depth and
annotated documentation on computer security and protocols.