Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - SPAM: Book reviewBitcoin and Cryptocurrency Technologies: A Comprehensive Introduction

benrothke writes: ol{[spam URL stripped] td,table th{[spam URL stripped] 72pt 72pt 72pt}.c6{[spam URL stripped]}

Bitcoin is a topic that evokes a sort of whodunit to many people. Created by an international man of mystery named Satoshi Nakamoto, it leads many to think this is a protocol that lends itself to a John Grisham novel. Many even think Bitcoin is a government conspiracy. But none of that could be further from the truth.



As in introduction, Bitcoin is a digital currency and payment system created by a person named Satoshi Nakamoto. It was sent out as a proof of concept in 2008 and the open source code was released the following year. It uses a peer-to-peer system for transactions without the need any intermediate servers. The force behind Bitcoin is its ledger system, which is done via a blockchain. More about that later.



In Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction(Princeton University Press ISBN 0691171696), authors and noted Bitcoin experts Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller and Steven Goldfeder have written a highly technical resource that is perhaps the best Bitcoin reference in print to date.



Bitcoin is gaining serious momentum, but it is still not at a point where it is a ubiquitous payment system. Case in point that the book is available on eBay, Walmart, Amazon, publisher's web site and more. But not of them will accept Bitcoin as a payment method.

In the following 11 chapters, the authors cover every core aspect of Bitcoin:



1. Introduction to Cryptography and Cryptocurrencies

2. How Bitcoin Achieves Decentralization

3. Mechanics of Bitcoin

4. How to Store and Use Bitcoins

5. Bitcoin Mining

6. Bitcoin and Anonymity

7. Community, Politics, and Regulation

8. Alternative Mining Puzzles

9. Bitcoin as a Platform

10. Altcoins and the Cryptocurrency Ecosystem

11. Decentralized Institutions: The Future of Bitcoin?



The authors explain in technical detail how the underlying Bitcoin protocol and technology operates. Bitcoin also has a number of technical and security limitations which are also discussed.



One of the more significant limitations that may turn out to be problematic is that the cryptographic algorithms in Bitcoin are hardcoded and fixed within in the protocol. There are only a few hash algorithms available and only one signature algorithm that can be used. Given that, there is concern (albeit limited), that the underlying cryptography in Bitcoin could be one day broken. While the logical solution may be to just change the protocols, the authors go into a detailed technical overview of why this ostensibly simple idea is not feasible.



Truth be told, the same crypto security concern exist for the RSA cryptosystem which is based in part on the difficulty of factoring large numbers.



Common wisdom says that Bitcoin is a fully anonymizing protocol. The authors address that topic at length. The reality is that Bitcoin is for the most part anonymous, but not fully anonymous. A skilled adversary could use various tactics to determine who made a specific transactions.



The notion that Bitcoin is anonymous annoyed someone so much that they created a websitewith a long list of references and quotes Bitcoins anonymity and privacy.



The authors detail how Ross Ulbricht, who created the Silk Road black market website, was ultimately caught. It was due in part to his inability to keep his public and private identifies separate. That enabled the FBI to connect them, which led to his arrest. The Ulbricht case demonstrated that it's quite hard to stay anonymous for a long time while being active and engaging in a course of coordinated conducts working with other people over time.



Ulbricht thought that by using Tor, Bitcoin and other pseudo-anonymous systems, that he would be invisible to law enforcement. That should be a cautionary tale to others.



Bitcoin could have been but another in a long line of cryptocurrencies and electronic cash. Its key differentiator is it decentralization and the use of blockchains. The Bitcoin blockchain is a public ledger of all transactions that occur on the Bitcoin network. The openness of the blockchain means any user can connect and send new transactions to it or verify a transaction.



The blockchain lends itself to possible attack and the book details the ways in which it is secured.



The companion websitefor book has a number of videos and programming assignments. The programming assignments are quite helpful and explore the depth of designing and building a basic cryptocurrency.





For those looking to get a highly detailed Bitcoin technical overview, this book is a must read. They provide both technical and real-world examples, included implementation methods of lessons learned from technical failures. The authors have created a highly readable comprehensive overview of the topic that will be of value to anyone looking to explore the most significant cryptocurrency of our times.







Reviewed by Ben Rothke.

Submission + - Book review: The War on Leakers: National Security and American Democracy

benrothke writes: ol{margin:0;padding:0}table td,table th{padding:0}.c1{orphans:2;widows:2;height:11pt}.c0{orphans:2;widows:2;text-align:justify}.c4{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.c3{orphans:2;widows:2}.c5{color:inherit;text-decoration:inherit}.c6{color:#1155cc;text-decoration:underline}.c2{font-size:12pt}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

When it comes to Edward Snowden, the question has often been posed as: is he a patriot or a traitor? In The War on Leakers: National Security and American Democracy, from Eugene V. Debs to Edward Snowden(The New Press 1620970635), author Lloyd Gardner, professor emeritus of history at Rutgers University, has written a fascinating work showing that the question of leakers and whistleblowers is rarely so binary or simple.



The topic is so volatile that while in the days that followed Snowden's revelation in 2013, many politicians called for his head. But just last month, former US Attorney General Eric Holder said Snowden performed a public service by triggering a debate over surveillance techniques.



The experienced writer that he is, Lloyd Gardner has written a most fascinating and engaging book that gives the reader an overview of the topic, without the histrionics that usually go along with it.



Much of the book is centered on the Espionage Act of 1917, a US federal law passed just after the start of World War I. The law was meant to stop interference with military operations or recruitment, to prevent insubordination in the military, and to prevent the support of US enemies during wartime. In the century since it's passing, it's has rarely been used. But as Gardner explains in great detail, that all changed when Obama came to town.



President Barack Obama campaigned on a promise of creating a transparent administration. Yet the nearly 8 years he's been in office has shown that he's been one of the most secretive president ever. And in using the Espionage Act, the book shows how he's been perhaps the most punitive President to leakers and whistleblowers. Obama also holds the distinction of using the act more times than any other president.



National security is something that needs to be taken very seriously. While leakers and whistleblowers can seriously undermine American interests and security, there is indeed a time and place for such people. Gardner has written a fantastic book that balances that very fine line between national security and abuse of power, and the ensuing needs for whistleblowers.



The author takes a fair and balanced approach to the topic. He's rational enough to know that there are many national security secrets that forever (or almost) need to be kept confidential; yet takes the government to task where its war on leakers goes beyond the pale.



The book offers no easy answers in which the Snowden story plays a large part. While the NSA has long countered that they would have taken Snowden's allegations seriously had he submitted them through proper channels; that notion has been shown to be absurd. Snowden's leaks showed the NSA, CIA and other agencies trampled over the constitutional rights of American's. To think that they would have stopped hundreds of programs (and tens of billions of dollars in active projects) due to the protests of a single Booz Allen consultant is both ludicrous and an assault on intellectual honesty.



Gardner writes of numerous cases where legitimate whistleblowers were hounded and prosecuted by the government. From union leader Eugene Debs during World War I, to current times regarding CIA analyst John Kiriakou who shared information about CIA waterboarding of Al Qaeda prisoners, New York Times author James Risen, to NSA whistleblower Thomas Drake.



The book notes that while the Espionage Act has specific places it is meant to operate it, the government has repeatedly used it in a manner in which it was not intended. Rather than focus on those attempting to attack the US, the government made the legitimate leakers the enemy.



Part of the issue is that while government is often handcuffed by the First Amendment; the Espionage Act places the burden of evidence on the whistleblower, and not on the information they are sharing. The very writing of the Act was meant to give the government a tool to stifle the whistleblower, where the Constitution could not.



An interesting point the book makes is that while Obama campaigned against George W. Bush and his policies; in many instances, Obama had sped up many of the spying programs Bush initiated.



Gardner closes the book with the observation that there is a distinction between citizens, who have rights and privileges protected by the state, and subjects, who are under the complete control and authority of the state. There is a fine line between the two. What made America great is treating the public as citizens. But if that line is not preserved, we can quickly revert to the pre-1776 days as subjects of the government.



The debate will forever rage about how to balance national security and privacy on one side, and legitimate dissent on the other. For those looking to truly understand the issue; The War on Leakers: National Security and American Democracy, from Eugene V. Debs to Edward Snowden, is a most important book for every American should read.





Reviewed by Ben Rothke

Submission + - Book review: The Car Hacker's Handbook

benrothke writes: The Car Hackers Handbook: A Guide for the Penetration Tester

Author: Craig Smith

Pages: 304

Publisher: No Starch Press

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1593277031

Summary: Definitive resource on the insecurities of car software security







The history of technology is replete with instances of security researchers finding a flaw in a product. The vendors then discount the issue and mock the findings; saying it's only a theoretical vulnerability. They may even resort to suing the researchers. When the vulnerability becomes widespread, these vendors then run to patch their insecure product.



We are in that situation now with vulnerabilities around automobile systems. While researchers have been sued and their findings removed from public view, it's only a matter of time until there will be widespread hacks against car systems.



In the just released The Car Hackers Handbook: A Guide for the Penetration Tester, author Craig Smith has written a fascinating book about how connected cars work, and how they can be hacked. The book provides a substantial amount of information about the applications and embedded software that runs the vehicle.



If conference titles are any sort of indicator of the importance of an issue, the recent 2016 RSA Security conference shows the importance of automobile security. The following presentations around auto security were given:



Collision Investigator: Aftermath of the Auto Hacks (given by author Craig Smith)

Braking the Connected Car: The Future of Vehicle Vulnerabilities

Do We Need Cyber-Ratings for the Auto Industry?

Automobiles are Getting Hacked: What's Next for Transportation Security?



Adding to the issue is that last week the FBI issued a public service announcement that motor vehicles are increasingly vulnerable to remote exploits.



This is a truly fascinating book showing how connected cars are vulnerable due to poorly written software. As new cars are highly computerized; the underlying security is only as good as it is designed and implemented. Based on that, Smith shows how we are far from that state of secure design and implementation. As detailed in the book, some cars can be hacked with ease. In chapter 9, Smith notes that it is often easy to modify the software as the vendors provide no defense against an attack.



Smith writes that early car systems often had proprietary software systems that made hacking harder. With many manufactures moving to open systems due to cost savings; many of the initial challenges have been obviated. Newer cars now use Ethernet, VoIP and other open standards and protocols.



At the end of the day, anything with connectivity and software can be hacked. Cars have a lot of software and each year with added functionality and more lines of code, the risks increase.



While the book focuses on new cars, older cars can still be network via aftermarket additions. So it's not so farfetched that an Edsel could be hacked.



The book is an outgrowth of Car Hackers Handbookfrom the Open Garagesproject, of which Smith is the founder. Open Garages are Vehicle Research Labs (VRL) centered around understanding the increasingly complex vehicle systems and provides public access, documentation and tools necessary to understand todays modern vehicle systems.



The book provides the reader with a detailed overview of the computer systems and embedded software ubiquitous in today's new cars. Smith details that vehicles have numerous entry points where a hack can occur. From the CAN, infotainment system, engine control unit (ECU) and more.



The 13 chapters and appendixes are:

1: Understanding Threat Models

2: Bus Protocols

3: Vehicle Communication with SocketCAN

4: Diagnostics and Logging

5: Reverse Engineering the CAN Bus

6: ECU Hacking

7: Building and Using ECU Test Benches

8: Attacking ECUs and Other Embedded Systems

9: In-Vehicle Infotainment Systems

10: Vehicle-to-Vehicle Communication

11: Weaponizing CAN Findings

12: Attacking Wireless Systems with SDR

13: Performance Tuning



Appendix A: Tools of the Trade

Appendix B: Diagnostic Code Modes and PIDs

Appendix C: Creating Your Own Open Garage



Smith knows the topic eminently well and the book is a fascinating read. This is a highly technical book. Those with coding experience will find the most value in the book.



In Chapter 1, Smith provides a good overview of the many threats that cars face. He writes of the importance of threat modeling when attempting to design a secure car system. A good reference he does not mention which lends itself quite well to the topic is the definitive guide on the topic, Adam Shostack's Threat Modeling: Designing for Security.



The early chapters provide a significant amount of technical information around the controller area network (CAN) bus. This is a message-based protocol vehicle bus standard, designed to allow microcontrollers and devices to communicate with each other in applications without a host computer.



Smith provides a number of ways that one can review engineer the CAN bus and send fake signals to the systems or engine. While not trivial, these do take programming expertise. But nonetheless, there are far from theoretical.



As history repeats itself, most of the auto manufacturers are focusing more on usability than security. When alerted to the security issues, they will often reply with a generic response that they take security seriously and are continually working to improve the security of their vehicles, including their proprietary vehicle software, as they develop and incorporate even more advanced electronic features into their vehicles. Within that doublespeak is often denial of the bigger pictures. That is the scenario that book addresses.



50 years ago, Ralph Nader wrote Unsafe at Any Speed: The Designed-In Dangers of the American Automobileshowing how car manufacturers didn't put in safety features that were available at the time, and were quite resistant to spending money on improving safety.



Today the situation is the same when it comes to car software. Nader's book was a wakeup call and it's hoped that The Car Hackers Handbook: A Guide for the Penetration Tester will do that same. For those that want to understand what goes on under the hood of the car from a software perspective, this is a most worthwhile read.





Reviewed by Ben Rothke.

Submission + - Book review: Security Operations Center

benrothke writes: ol{margin:0;padding:0}.c1{orphans:2;widows:2;text-align:justify;direction:ltr}.c6{orphans:2;widows:2;direction:ltr;height:11pt}.c5{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.c4{color:#1155cc;text-decoration:underline}.c0{color:inherit;text-decoration:inherit}.c2{font-size:12pt;font-style:italic}.c3{font-size:12pt}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.15;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}

Title:Security Operations Center: Building, Operating, and Maintaining your SOC

Author: Joseph Muniz, Gary McIntyre, Nadhem AlFardan

Pages: 448

Publisher: Cisco Press

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0134052014

Summary: Indispensable guide for those designing and deploying a SOC



Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this.



Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC.



As Mike Rothman notedabout managed services providers, and something that is relevant to a SOC, you should have no illusions about the amount of effort required to get a SOC up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement a SOC, but do, and are then trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats that the SOC had the potentialto provide them with, had they done it right. Those considering deploying a SOC and not wanting to be in the hamster wheel of pain will need this book.



The authors have done a great job in covering every phase and many details required to build out a SOC. After going through the book, some readers will likely reconsider deploying an internal SOC given the difficulties and challenges involved. This is especially true since SOC design and deployment is something not many people have experience with.



The book is written for an organization that is serious about building an enterprise SOC. The authors spend much of the book focusing on the myriad requirements for creation of a SOC. They constantly reiterate about details that need to be determined before moving forward.



Chapter 4 on SOC strategy is important as the way in which a firm determines their strategy will affect every aspect of the outcome. The authors wisely note that an inadequate or inaccurate SOC strategy, and the ensuing capabilities assessment exercises would produce a SOC strategy that does not properly address the actual requirements of the organization.



Ultimately, failing to adequately plan and design is a guarantee for SOC failure. That in turn will affect and impact deployment timelines, budgets and cause frustration, dissatisfaction and friction between the different teams involved in the SOC program.



The author's expertise is evident in every chapter, and their real-world expertise quite obvious in chapter 5 on facilities, which is an area often neglected in SOC design. The significant issue is that if the facility in which the SOC team operates out of does meet certain baseline requirements, the SOC effectiveness will be significantly and often detrimentally impacted. The chapter details many overlooked topics such as: acoustics, lighting, ergonomics, and more.



Staffing a SOC is another challenge, and the book dedicates chapter 8 to that. The SOC is only as good as the people inside it, and the SOC staff requires a blend of skills. If the organization wants their SOC to operate 24x7, it will obviously require a lot more manpower of these hard to find SOC analysts.



Another helpful aspect is found in chapter 10 which has a number of checklists you can use to verify that all the required pieces are in place prior to a go live data, or be able to identify area that many not be completed as expected.



With Muniz and AlFardan being Cisco employees and this being a Cisco Press title, the book has a strong emphasis towards Cisco hardware and software. Nonetheless, the book is still quite useful even for those who won't be using Cisco products.



Building a SOC is an arduous process which takes a huge amount of planning and of work. This work must be executed by people from different teams and departments, all working together. Based on these challenges, far too many SOC deployments fail. But for anyone who is serious about building out a SOC, this book should be a part of that effort.



The reason far too many, perhaps most SOC deployments fail is that firms makes the mistake of obsessing on the hardware and software, without adequately considering the security operations functions. The authors make it eminently clear that such an approach won't work, and provide you with the expert guidance to obviate that.



For anyone considering building a SOC, or wants to understand all of the details involved in building one, Security Operations Center: Building, Operating, and Maintaining your SOC, is an absolute must read.





Reviewed by Ben Rothke

Submission + - Book review: The Network Security Test Lab: A Step-by-Step Guide

benrothke writes: Title:The Network Security Test Lab: A Step-by-Step Guide

Author: Michael Gregg

Pages: 480

Publisher: Wiley

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-1118987056

Summary: Good reference to use to build out home test lab for information security





It wasn't that long ago that building a full network security test lab was an expensive prospect. In The Network Security Test Lab: A Step-by-Step Guide, author Michael Gregg has written a helpful hands-on guide to provide the reader with an economical method to do that. The book is a step-by-step guide on how to create a security network lab, and how to use some of the most popular security and hacking tools.





The book is a straightforward guide that will help the reader in their quest to master the art of effective use of security and hacking tools. The reader that can put in the time and plow through the 400 pages will certainly come out with a strong understanding of how to run the most common set of popular security tools.





The book is written for the reader on the budget. In the introduction, Gregg writes how one can easily find inexpensive networking equipment at budget prices on eBay. While brand new hardware devices can cost in the thousands; one can find Cisco Catalyst switches, and Nokia IP and Check Point firewalls for under $50. Combined with his emphasis on open source software and tools, this is a most practical reference for those looking to increase their security skills without breaking the bank.





The book is meant for the reader with a strong technical background looking to gain experience with network security and related security tools. Other similar books will often waste paper and the reader's time by devoting the first 50 to 100 pages with unwanted introductory text. This book hits the ground running and by page 100, the reader is already analyzing network packets with Wireshark.





As to Wireshark, the book references often. The books online site includes 6 pcap files that can be downloaded and used by the tool in order to analyze various attacks.





The following are the books 11 chapters, which cover the entire range of network security and tools:



1. Building a Hardware and Software Test Platform

2. Passive Information Gathering

3. Analyzing Network Traffic

4. Detecting Live Systems and Analyzing Results

5. Enumerating Systems

6. Automating Encryption and Tunneling Techniques

7. Automated Attack and Penetration Tools

8. Securing Wireless Systems

9. An Introduction to Malware

10. Detecting Intrusions and Analyzing Malware

11. Forensic Detection





The book provides a good balance of coverage between Windows and Linux, and details the use of the many tools for each operating system. Each chapter ends with a series of exercises which can be used to help the reader put the information covered into practice. Those looking to gain experience on a wide variety of tools will enjoy the book. It covers a wide-range of tools and utilities.





Network Security Test Lab: is in the same genre as books such as Hacking Exposed 7: Network Security Secrets and Solutions. The difference is that Hacking Exposedfocuses more on the tools, while this book shows the reader how to build a lab to mimic a real world environment. In addition, this book focuses a bit more on using a holistic approach to creating a secure network, as opposed to just hacking in.





In the effort to make the test lab as inexpensive to build as possible, the book places on emphasis on using virtualization. The book focuses on using the VMware Player; a free virtualization software toolkit for Linux and Windows.





The book covers a huge amount of information and tools. If the reader puts in the time and completes everything, they will have a thorough knowledge of most of the key concepts in network security.





The book is a straightforward read for the serious reader. Those willing to put in the effort and the time, to learn through the various tools will find The Network Security Test Lab: A Step-by-Step Guidea great resource in which to build and develop their information security skills.







Reviewed by Ben Rothke

Submission + - Book review: Cloud Computing Design Patterns (amazon.com)

benrothke writes: Far too many technology books take a Hamburger Helperapproach, where the first quarter or so of the book is about an introduction to the topic, and filler at the end with numerous appendices of publicly available information. These books end up being well over 800 pages without a lot of original information, even though they are written an advanced audience.



In software engineering, a design patternis a general repeatable solution to a commonly occurring problem in software design. A design pattern isnt a finished design that can be transformed directly into code. It is a description or template for how to solve a problem that can be used in many different situations.



Using that approach for the cloud, in Cloud Computing Design Patterns, authors Thomas Erl, Robert Cope and Amin Naserpour have written a superb book that has no filler and fully stocked with excellent and invaluable content.



The authors use design patterns to refer to different aspects of cloud architectures and its design requirements. In the cloud, just as in software, design patterns can speed up the development process by providing tested, proven development paradigms.



The book contains over 100 different design pattern scenario templates that are common to a standard enterprise cloud roll-out. Each scenario uses a common template which starts with a question or specific requirement. It then details the problem, solution, application and the mechanisms used to solve the problem.



The authors build on the notion that for anyone who wants to architect a large cloud solution, they need to have a broad understanding of the many factors involved with the real-world usage of cloud services.



Because cloud services are so easy to deploy, they are often incorrectly misconfigured during roll-out and deployment. The authors write that its crucial have a strong background in cloud services before doing any sort of a rollout. Because it's often so easy to deploy cloud services, this results in far too many failed cloud projects. And when the project is poorly implemented, it can actually cause the business to be in a far worse point from where it was before the cloud rollout.



The authors deserve credit for writing a completely vendor agnostic reference, even though there are many times you would appreciate it if they could suggest a vendor for a specific solution.



The books 10 chapters discuss the following areas:

Chapter 1: Introduction

Chapter 2: Understanding Design Patterns

Chapter 3: Sharing, Scaling and Elasticity Patterns

Chapter 4: Reliability, Resiliency and Recovery Patterns

Chapter 5: Data Management and Storage Device Patterns

Chapter 6: Virtual Server and Hypervisor Connectivity and Management Patterns

Chapter 7: Monitoring, Provisioning and Administration Patterns

Chapter 8: Cloud Service and Storage Security Patterns

Chapter 9: Network Security, Identity & Access Management, and Trust Assurance Patterns

Chapter 10: Common Compound Patterns



Some of the more interesting patterns they detail are:
  • Hypervisor clustering – how can a virtual server survive the failure of its hosting hypervisor or physical server?
  • Stateless hypervisor – how can a hypervisor be deployed with a minimal amount of downtime, while allowing for quick updating and upgrading?
  • Trusted platform BIOS – how can the BIOS on a cloud-based environment be protected from malicious code?
  • Trusted cloud resource pools – how can cloud-based resource pools be secured and become trusted?
  • Detecting and mitigating user-installed VMs – how can user installed VMs from non-authorized templates be detected and secured?

The book is replete with these scenarios, and each scenario includes downloadable figures that effectively illustrate the mechanisms used to solve the problem.





Chapter 3 provides a number of first-rate architectural ideas on how to design a highly resilient cloud solution. Much of the promise of the cloud is built on scalability, elasticity and overall optimization. These chapters show how to take those possibilities from conceptual to a working implementation.





Cloud failures are inevitable and chapter 4 details how to build failover, redundancy and recovery of IT resources for the cloud environment.





Chapter 9 is particularly important, as far too many designers think that since the underlying cloud abstraction layer is highly secure, everything they build on top of that will have the same level of security. The book details a number of design patterns that are crucial to ensuring the cloud design is securing that data at rest and is resistant against specific cloud attacks.





With a list price of $49.99, the book is a bargain considering the amount of useful information the book provides. For anyone involved with cloud computing design and architecture, Cloud Computing Design Patterns, is an absolute must read.







Reviewed by Ben Rothke

Submission + - Book review: The Terrorists of Iraq

benrothke writes: Untitled documentol{margin:0;padding:0}.c1{widows:2;orphans:2;text-align:justify;direction:ltr}.c2{widows:2;orphans:2;direction:ltr}.c4{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c7{color:#1155cc;text-decoration:underline}.c3{color:inherit;text-decoration:inherit}.c0{font-size:12pt}.c6{font-style:italic}.c5{height:11pt}.title{widows:2;padding-top:0pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:21pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}.subtitle{widows:2;padding-top:0pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-style:italic;font-size:13pt;font-family:"Trebuchet MS";padding-bottom:10pt;page-break-after:avoid}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{widows:2;padding-top:10pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:16pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h2{widows:2;padding-top:10pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:13pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt;page-break-after:avoid}h3{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:12pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt;page-break-after:avoid}h4{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:11pt;text-decoration:underline;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h5{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h6{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}

Title:The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014, 2nd Edition

Author: Malcolm W. Nance

Pages: 404

Publisher: CRC Press

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1498706896

Summary: Definitive text on the Iraq War written by one of the few Americans who truly understand the issue





The infinite monkey theorem states that a monkey hitting random typewriter keys for an infinite amount of time will eventually be able to create the complete works of Shakespeare. Various scientists such as Nobel laureate Arno Penzias have shown how the theorem is mathematically impossible.



Using that metaphor, if you took every member of United States Congress and House of Representatives and wrote their collected wisdom on Iraq, it's unlikely they could equal the astuteness of even a single chapter of author Malcolm W. Nance in The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014. It's Nance's overwhelming read-world experiential knowledge of the subject, language, culture, tribal affiliations and more which make this the overwhelming definitive book on the subject.



Nance is a career intelligence officer, combat veteran, author, scholar and media commentator on international terrorism, intelligence, insurgency and torture. In 2014 he became the executive director of the counter-ideology think tank the Terror Asymmetrics Project on Strategy, Tactics and Radical Ideologies (TAPSTRI).



While it's debatable if most members of Congress could elucidate the difference between the Sunnis and Shiites; Nance knows all of the players in depth. He understands and describes who there are, what they are and how their methods work. His unique analysis provides an in-depth understanding of who these groups are and what they are fighting about.



The book details how the many terror groups formed to create the Iraqi insurgency that led to the rise of the Islamic State of Iraq and Syria (ISIS). Nance places the blame on the Bush administrations 2003 invasion of Iraq that lead to the destabilization of the country. While the war was based on faulty evidence, the insurgency was created by myriad mistakes, misperceptions and miscalculations by L. Paul Bremer, who lead the occupational authority of Iraq during the war.



A common theme Nance makes throughout the book is that the US ignored history and didn't learn the lessons of the Iraqi revolt against the British in 1920 or the events of the Vietnam War. Those lessons being that insurgents and foreign terrorist operations were much more effective despite the enormous manpower and firepower that the US troops brought to bear in Iraq.



Nance details how much of the coalition's strategy was based on wishful thinking. He writes that Washington never had a realistic plan for post-war Iraq. Only Saddam Hussein, Abu Musab al-Zarqawi and the ex-Ba'athists has a definitive strategy for what to do in post-war Iraq. Unlike the Americans, they mobilized the right resources and persons for the job, with devastating and horrifying effects.



The book writes of the utterly depravity and evil nature of Saddam Hussein and his sons Uday and Qusay. Following the first Gulf War. Qusay revealed a brutality to match both his father's and brother's. The Hussein family was responsible for the death and torture of hundreds of thousands of innocent Iraq's and others.



The insurgency was and is made up of countless different groups. Some of these groups number under a hundred members, others in the tens of thousands. Nance details who these groups are, their makeup and leadership structure and what they hope to achieve.



Nance quotes Donald Rumsfeld and General Tommy Franks who described the insurgency as dead-enders; namely small groups dedicated to Hussein, and not large military formations or networks of attackers. Yet the reality was that Hussein started creating the insurgency in the months before the invasion. Rather than being a bunch of dead-enders, the insurgency was a group that was highly organized, heavily armed, with near unlimited funds based on looting hundreds of millions of dollars.



From a reporting perspective, the book details how the US government made the same mistakes in Iraq as it did in Iran. Underreporting US casualties, over reporting enemy losses, and obfuscating how terrible the situation on the ground was.



The term IED (improvised explosive device) became part of the vernacular during the Iraq War. The book details how the insurgency used the many different types of IED's (including human-based IED) at specific times and places for their political and propaganda goals.



Nance writes that the biggest gift the US gave to Osama bin Laden was to invade Iraq. The invasion provided him with an opportunity for inspirational jihad. bin Laden envisioned a holy war with heroic men fights against desperate odds in the heart of historic Islam, just like the first battles of the Prophet Mohammed.



Nance spends a few chapters dealing with ISIS and how it came to be. There are multiple iterations of the group, which developed as the Iraq mess evolved.



The book closes with a disheartening overview of the current state. Nance writes that the Middle East is in far more danger from destabilizing collapse of states due to the effects of the American invasion today than it has ever been.



As ISIS is currently the dominant force in Iraq; Nance states that he fears ISIS will have no intention of going back to being a small insurgent group. It will attempt to consolidate captured terrain. It will offer the Sunni a chance to rule under it at the technocrat level, but that is when the pogroms will start.



In the end, Nance writes, the Islamic caliphate will attempt and fail at creating a popular Iraqi-Syrian nation out of stolen governorates. But unless confronted quickly and forcefully, it may become an isolated jihadistan from which no end of terror will spawn.



For those that want to truly understand the Iraq conflict, Nancy is eminently qualified and this book is uniquely superb. There is no better book than The Terrorists of Iraq: Inside the Strategy and Tactics of the Iraq Insurgency 2003-2014on the subject.





Reviewed by Ben Rothke

Submission + - Book review: Future Crimes

benrothke writes: Title:Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It

Author: Marc Goodman

Pages: 400

Publisher: Doubleday

Rating: 9/10

Reviewer: Ben Rothke

ISBN: 978-0385539005

Summary: In the rush to get everyone wired, they forget to secure it





Technology is neutral and non-moral. It's the implementers and users who define its use. In Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It, author Marc Goodman spends nearly 400 pages describing the dark side of technology, and those who use it for nefarious purposes. He provides a fascinating overview of how every major technology can be used to benefit society, and how it can also be exploited by those on the other side.



Technology breeds crime and in the book, Goodman users Crime, Inc.as a metaphor for the many entities and organizations that exist in the dark web and fringes of the Internet. Towards the end of the book, after describing all of the evils that the Internet creates, he suggests creation of a modern day Manhattan Project for cyber security. He writes that a major initiative such as that is what is required to secure the Internet and emerging technologies.



As to Crime, Inc., Goodman shows how they use technologies such as distributed computing, satellite communications, crowdsourcing, encrypted channels and other sophisticated mechanisms to carry out their actions. The premise of the book, and it's a compelling one, is that in the rush to wire every classroom, person and organization, we have failed to secure it appropriately.



The books 18 chapters are an easy and fascinating read. Goodman writes in detail about many major technologies trends and how its benefits can be subverted. The book is written for the non-technical reader and Goodman does an admirable job of minimize tech-talk and gibberish.



While the book obsesses on the dark side, it's important to note that Goodman is not an anti-technologist. The goal of the book is to make people aware of what they are clicking on, and how they often give away their personal life when using free mobile applications.



Chapter 6 on the surveillance economy is particularly interesting. While Snowden brought attention to the NSA's wholesale spying, what has gone under the radar is the lucrative surveillance economy that has developed. Goodman writes how firms like Acxion, Epsilon and others are part of the over $150 billion data brokerage industry. Their power is that they correlate information from myriad disparate sources, to create a powerful dossier that marketers are willing to pay for.



The chapter articulately details the unprecedented amounts of data people have shared with third-parties; that once shared, is almost impossible to control. The privacy implications are huge and the problem is only getting worse. Data brokers have no privacy incentives as they make money when they sell data, not when they protect it.



The book is a fascinating read, albeit a bit wordy at times. The book contains so many horror stories and examples of software and hardware gone badly, that the reader can be overwhelmed. Goodman on occasion makes some errors, such as when he writes that a six-terabyte hard drive could hold all of the music ever recorded anywhere in the world throughout history. At times, he overemphasizes things, such as when he writes that one billion users have posted their most intimate details on Facebook. While Facebook recently passed the 1 billion user mark, not every user posts intimate details of their live.



The book provides a superb overview of the security implications of the Internet of Things (IoT). Goodman details how the IoT can be used to create intelligent systems and networks that can detect and shutdown adversaries. But to secure the IoT will require an effort akin to the Manhattan Project. With that, Goodman advocates that the government fund a digital Manhattan Project, getting the best and brightest minds in the information security space together, to create a framework to better secure the Internet.



The problem is as he notes, that Washington simply does not see the need nor can they comprehend the urgency of the situation. It's only the government that can ostensibly get the private and public sectors together to work in concert, but that is unlikely to happen anytime soon. Which only serves to exacerbate an already tenuous information security problem.



An additional issue the book grapples with, it that the while government wants its citizens to be secure and touts the importance of personal privacy, it simultaneously spies on them. Also, providers such as Google and Facebook provide free services, at the cost of turning the user into a data customer. It's not just the criminals and terrorists the book warns about, rather government and free data collection services.



While the book paints an overly depressing picture of what the future holds for personal privacy, Goodman closes the book with his UPDATEprotocol. He writes that while the worst is yet to come and that it's getting more and more difficult to gain control you're your personal data and metadata; there are six steps you can do. Goodman claims that these 6 steps can prevent 85% of digital attacks. The UPDATE steps are: Update frequently, Passwords, Download from safe sites only, Administrator accounts used with care, Turn off computers and Encrypt data.



Much of the problem is that people are clueless to what is going on. They use free services not knowing their data and personal privacy is what they are giving away. Finally, users don't know what good security looks like. The book is a valiant attempt to show users that while they think they are using the Internet in a pristine environment, it is simply a cesspool of malware, scammers and miscreants. Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About Itis a great wake-up call. Let just hope everyone wakes up and read it.





Reviewed by Ben Rothke

Submission + - Book review: Data and Goliath

benrothke writes: Untitled documentol{margin:0;padding:0}.c1{widows:2;orphans:2;text-align:justify;direction:ltr}.c0{widows:2;orphans:2;height:11pt;direction:ltr}.c6{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c4{color:inherit;text-decoration:inherit}.c3{color:#1155cc;text-decoration:underline}.c2{font-size:12pt}.c5{font-style:italic}.title{widows:2;padding-top:0pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:21pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}.subtitle{widows:2;padding-top:0pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-style:italic;font-size:13pt;font-family:"Trebuchet MS";padding-bottom:10pt;page-break-after:avoid}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{widows:2;padding-top:10pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:16pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h2{widows:2;padding-top:10pt;line-height:1.15;orphans:2;text-align:left;color:#000000;font-size:13pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt;page-break-after:avoid}h3{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:12pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt;page-break-after:avoid}h4{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:11pt;text-decoration:underline;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h5{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}h6{widows:2;padding-top:8pt;line-height:1.15;orphans:2;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt;page-break-after:avoid}

Title:Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Author: Bruce Schneier

Pages: 400

Publisher: W. W. Norton & Company

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0393244816

Summary: Important defense of privacy & expose on the dangers of NSA domestic mass surveillance



InData and Goliath: The Hidden Battles to Collect Your Data and Control Your World,author Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama and the NSA for their wholesale spying on innocent Americans and violations of myriad laws. Instead, he was written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers facing everyone.



A comment like what's the big deal?often indicates a naiveté about a serious significant underlying issue. The idea that if you have nothing to hide you have nothing to fear is a dangerously narrow concept on the value of privacy. For many people the notion that the NSA was performing spying on Americans was perceived as not being a big deal, since if a person is innocent, then what do they have to worry about. In the book, Schneier debunks that myth and many others, and defends the important of privacy.



Schneier writes that privacy is an essential human need and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing and it makes no difference whether the surveillance is conducted by an undercover police officer following us around or by a computer algorithm tracking our every move.



The book notes that much of the data sharing is done voluntarily from users via social media and other voluntary sharing methods. But the real danger is that the NSA has unlawfully been conducting mass surveillance on Americans, in violation of the Constitution and other Federal laws. And with all of that, the book observed that after spending billions doing it, the NSA has very little to show for its efforts.



While the NSA has often said they were just collecting metadata; Schneier writes that metadata can often be more revealing than the data itself, especially when it's collected in the aggregate. And even more so when you have an entire population under surveillance. How big of a deal is metadata? Schneier quotes former NSA and CIA director Michael Hayden that "we kill people based on metadata".



The book spends chapters detailing the dangers of mass data collection and surveillance. It notes that the situation is exacerbated by the fact that we are now generating so much data and storing it indefinitely. People can now search 20 years back and find details that were long thought to have been forgotten. Today's adults were able to move beyond their youthful indiscretions; while today's young people will not have that freedom. Their entire life histories will be on the permanent record.



Another harm of mass government surveillance is the way it leads to people being categorized and discriminated against. Since much of the data is gathered in secret, citizens don't have the right to see or refute it. Schneier notes that this will intensify as systems start using surveillance data to make decisions automatically.



Schneier makes numerous references to Edward Snowden and views him as a hero. He views Snowden's act as being courageous since it resulted in the global conversation about surveillance being made available. Had it not been for Snowden, this book would never have been written.



Schneier does a good job of showing how many of the methods used by the NSA were highly questionable, and based on extremely broad readings of the PATRIOT ACT, Presidential directives and other laws.



The book notes that not only has mass surveillance on US citizens provided extremely little return on the tens of billions of dollars spent; the very strategy of basing security on irrational fears is dangerous. The book notes that many US agencies were faulted after 9/11 and the Boston Marathon bombing for not connecting the dots.But connecting the dots against terrorist plots is extraordinarily difficult, if not impossible. Given the rarity of these events, the book notes that they current systems produce so many false positives as to render them useless.



Schneier straight-out says that ubiquitous surveillance and data minding are not suited for finding dedicated criminals or terrorists. The US is wasting billions on these programs and not getting the security they have been promised. Schneier suggests using the money on investigations, intelligence and emergency response; programs whose tactics have been proven to work.



Schneier makes many suggestions on how to stop the mass surveillance by the NSA. His biggest suggestion is to separate espionage agencies from the surveillance agencies. He suggests that government surveillance of private citizens should only be done as part of a criminal investigation. These surveillance activities should move outside of the NSA and the military and should instead come under the auspices of the FBI and Justice Department, which will apply rules of probable cause, due process and oversight to surveillance activities in regular open courtrooms. As opposed to the secret United States Foreign Intelligence Surveillance courts.



Schneier notes that breaking up the NSA is a long-range plan, but it's the right one. He also suggests reducing the NSA's budget to pre-9/11 levels, which would do an enormous amount of good.



While Schenier comes down hard on mass surveillance, he is also rational enough to know that there are legitimate needs for government surveillance, both law enforcement and intelligence needs to do this and we must recognize that. He writes that we must support legitimate surveillance and work on ways for these groups to do what they need without violating privacy, subverting security and infringing on citizens' rights to be free of unreasonable suspicion and observation.



The book concludes with a number of things that can be done. At the personal level there is a lot people can legitimately do to stop sharing so much personal information. But for most people, they would rather reap the short-term benefits of sharing information on social media, with retailers and more; than the long-term privacy benefits.



The book also notes that much of the problem stems with federal agencies since keeping the fear stoked is big business. For those in the intelligence agencies, that is the basis of their influence and power. Schneier also lays some of the blame on the media who stoke the irrational fears in the daily news. By fixating on rare and spectacular events, the media conditions us to behave as if terrorism were much more common than it is and to fear it far out of proportion to its actual incidence.



This is an incredibly important book. Schenier is passionate about the subject, but provides an extremely reasonably set of arguments. Superbly researched, Schneier lays out the facts in a clear, concise and extremely readable manner. The book is at times disturbing, given the scope and breadth of the NSA surveillance program.



This is the perfect book to take with you on a long flight. It's a compelling and engrossing read, and important book and a major wake-up call. The NSA knows all about you via its many total information awareness programs. In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,Bruce Schneier provides the total information awareness about what the NSA is doing, how your personal data is being mined, and what you can do about it.



While the NSA was never able to connect the dots of terrorists, Schneier has managed to connect the dots of the NSA. This is a book that must be read, for your freedom.





Reviewed by Ben Rothke

Submission + - Book review: Data and Goliath

benrothke writes: Title:Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Author: Bruce Schneier

Pages: 400

Publisher: W. W. Norton & Company

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0393244816

Summary: Important defense of privacy & expose on the dangers of NSA domestic mass surveillance





In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, author Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama and the NSA for their wholesale spying on innocent Americans and violations of myriad laws. Instead, he was written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers facing everyone.



A comment like what's the big dealoften indicates a naiveté about a serious significant underlying issue. The idea that if you have nothing to hide you have nothing to fear is a dangerously narrow conception on the value of privacy. For many people the notion that the NSA was performing spying on Americans was perceived as not being a big deal, since if a person is innocent, then what they have to worry about. In the book, Schneier debunks that myth and many others, and defends the important of privacy.



Schneier writes that privacy is an essential human need and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing and it makes no difference whether the surveillance is conducted by an undercover police following us around or by a computer algorithm tracking our every move.



The book notes that much of the data sharing is done voluntarily from users via social media and other voluntary sharing methods. But the real danger is that the NSA has unlawfully been conducting mass surveillance on Americans, in violation of the Constitution and other Federal laws. And with all of that, the book observed that after spending billions doing it, the NSA has very little to show for its efforts.



While the NSA has often said they were just collected metadata; Schneier writes that metadata can often be more revealing than the data itself, especially when it's collected in the aggregate. And even more so when you have an entire population under surveillance. How big of a deal is metadata? Schneier quotes former NSA and CIA director Michael Hayden that "we kill people based on metadata".



The book spends chapters detailing the dangers of mass data collection and surveillance. It notes that the situation is exacerbated by the fact that we are now generating so much data and storing it indefinitely. People can now search 20 years back and find details that were once forgotten, often just after the incident occurred. Today's adults were able to move beyond their youthful indiscretions; while today's young people will not have that freedom. Their entire life histories will be on the permanent record.



Another harm of mass government surveillance is the way it leads to people being categorized and discriminated against. Since much of the data is gathered in secret, citizens don't have the right to see or refute it. Schneier notes that this will intensify as systems start using surveillance data to make decisions automatically.



Schneier makes numerous references to Edward Snowden and views him as a hero. He views Snowden's act as being courageous since it resulted in the global conversation about surveillance being made available. Had it not been for Snowden, this book would never have been written.



Schneier does a good job of showing how many of the methods used by the NSA were highly questionable, and based on extremely broad readings of the PATRIOT ACT, Presidential directives and other laws.



The book notes that not only has mass surveillance on US citizens provided extremely little return on the tens of billions of dollars spent; the very strategy of basing security on irrational fears is dangerous. The book notes that the many US agencies were faulted after 9/11 and the Boston Marathon bombing for not connecting the dots.But connecting the dots against terrorist plots is extraordinarily difficult, if not impossible given current computing techniques. Given the rarity of these events, the book notes that they current systems produce so many false positives as to render them useless.



Schneier straight-out says that ubiquitous surveillance and data minding are not suited for finding dedicated criminals or terrorists. The US is wasting billions on these programs and not getting the security they have been promised. Schneier suggests using the money on investigations, intelligence and emergency response; programs whose tactics have been proven to work.



Schneier makes many suggestions on how to stop the mass surveillance by the NSA. His biggest suggestion is to separate espionage agencies from the surveillance agencies. He suggests that government surveillance of private citizens should only be done as part of a criminal investigation. These surveillance activities should move outside of the NSA and the military and should instead come under the auspices of the FBI and Justice Department, which will apply rules of probable cause, due process and oversight to surveillance activities in regular open courtrooms. As opposed to the secret United States Foreign Intelligence Surveillance courts.



Schneier notes that breaking up the NSA is a long-range plan, but it's the right one. He also suggests reducing the NSA's budget to pre-9/11 levels, which would do an enormous amount of good.



While Schneier comes down hard on mass surveillance, he is also rational enough to know that there are legitimate needs for government surveillance, both law enforcement and intelligence needs and we must recognize that. He writes that we must support legitimate surveillance and work on ways for these groups to do what they need without violating privacy, subverting security and infringing on citizens' rights to be free of unreasonable suspicion and observation.



The book concludes with a number of things that can be done. At the personal level there is a lot people can legitimately do to stop sharing so much personal information. But for most of them, the long-term benefits may lose out to the short-term gains from sharing their information on social media, with retailers and more.



The book also notes that much of the problem stems with federal agencies since keeping the fear stoked is big business. For those in the intelligence agencies, that is the basis of their influence and power. Schneier also lays some of the blame on the media who stoke the irrational fears in the daily news. By fixating on rare and spectacular events, the media conditions us to behave as if terrorism were much more common than it is and to fear it far out of proportion to its actual incidence.



This is an incredibly important book. Schneier is passionate about the subject, but provides an extremely reasonably set of arguments. Superbly researched, Schneier lays out the facts in a clear, concise and extremely readable manner. The book is at times disturbing, given the scope and breadth of the NSA surveillance program.



This is the perfect book to take with you on a long flight. It's a compelling, read, and important book and a major wake-up call. The NSA knows all about you via its many total information awareness programs. In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, Bruce Schneier provides the total information awareness about what the NSA is doing, how your personal data is being mined, and what you can do about it.



While the NSA was never able to connect the dots of terrorists, Schneier has managed to connect the dots of the NSA. This is a book that must be read, for your freedom.







Reviewed by Ben Rothke

Slashdot Top Deals

An algorithm must be seen to be believed. -- D.E. Knuth

Working...