The SANS Technology Institute

Musings

Book Reviews

Here we are gathering book reviews on information and network security, management, and leadership.

Book Review: Crimeware, by Jakobsson and Ramzan - July 12th, 2008
Book Review: Dreams from My Father, by Barack Obama - February 4th, 2008
Book Review: LAN Switch Security:What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen - January 11th, 2008
Book Review: Made to Stick: Why Some Ideas Survive and Others Die, by Chip Heath and Dan Heath - January 2nd, 2008
Book Review: Geekonomics, by David Rice - December 27th, 2007
Book Review: End-to-End Network Security, by Omar Santos - December 6th, 2007
Book alert, Behind the Screen: Hacking Hollywood, by Mark Stone - November 27th, 2007
Book Review: Linksys WRT54G Ultimate Hacking, by Paul Asadoorian and Larry Pesce; Raul Siles Technical Editor - October 31st, 2007
Book Review: The Black Swan: The Impact of the HIGHLY IMPROBABLE, by Nassim Nicholas Taleb - October 27th, 2007
The Best Security Books to have in your library - October 25th, 2007
Book Review: The Age of Speed, by Vince Poscente - October 2nd, 2007
Book Review: Virtual Honeypots by Niels Provos and Thorsten Holz - August 21st, 2007
Book Review: Seduced by Success by Robert J. Herbold - June 26th, 2007
Book Review: Selling Blue Elephants, by Moskowitz and Gofman - June 25th, 2007
Book Review of Snow Crash leads to Second Life - April 18th, 2007
Book Review: Miracle in the Andes, by Nando Parrado and Vince Rause - February 20th, 2007
Book Review - Information Security Law: Control of Digital Assets - February 19th, 2007
Book Review - Cisco Network Admission Control - January 1st, 2007
Book Review: The Art of Software Security Assessment - December 19th, 2006

Book Review: Geekonomics, by David Rice

December 27th, 2007
By Stephen Northcutt

Depending on whom you ask, mankind has survived on this planet for somewhere between 10,000 and 160,000 years.[1] However, we are the first generation to be dependent on software. Geekonomics opens with a discussion of the importance of cement and how crucial it is to our civilization. From roads to sewers, cement is our infrastructure, and I could not agree more. After the driest summer since they have been measuring such things where I live, the rain has been falling and falling and falling and my farm is one big mud hole. Every unimproved road is dangerous and some of the asphalt is failing. So, I am replacing and improving with cement. It is expensive, but cement roads will outlast me, my son and his sons. Software is as important to infrastructure as cement as a foundation of civilization, asserts the author of Geekonomics,[2] David Rice, but while considerable energy has been expended to normalize the manufacture and application of cement, much less work has been done with software.

While the cement roads we are putting in will last a hundred or more years, the author points out that software is often essentially obsolete by the time the consumer takes possession of it. In fact, consumers value innovation so much that it is prized above security, even if a quick look at the news shows us the cumulative effect of software failure leading to data breach. At this exact moment, according to privacyrights.org, 216,770,536 consumer records have been lost.[3] As Rice points out, in the 1970s the criminal underground realized there was more money to be made, at less risk of being caught, trafficking in drugs than other forms of crime, so it became a big thing. In the past few years, the criminal underground is starting to focus on software, specifically vulnerabilities in software that can lead to data breaches that allow identity theft and credit card fraud.[4]

As the book explains, crime begets crime; if you have a neighborhood with broken windows, this can lead to additional problems, criminals and other worthless fellows are comfortable hanging out and doing whatever they want to do. This too, I have seen in my own life; one of my employees has had to abandon her home for a few weeks. The condominium above her had a broken window that was used to enter that home and people took up residence in the empty foreclosed home. They invited their friends, and now the entire complex is less desirable. Geekonomics lists the positive example of the New York Subway system's clean car program[5], that all cars had to be clean with no graffiti; if a car could not be cleaned, it was taken out of service until it was clean. This has lead to a major improvement in the security and user experience of the subway system. However, as the author points out, you can see graffiti; you cannot necessarily see the flaws in software that attract the criminal elements.

Another interesting comparison the book makes is the interstate highway system in the US. It was designed for safety from the beginning and is a critical part of the national infrastructure. If you want to go somewhere you can. For all its costs, having this infrastructure in place saves far more money (imagine trying to get fresh milk to market over muddy, pot hole filled roads.) However, the Internet, which is the software analog of the highway system, was not built for safety and may well not scale to growth as well as the highway system has.

The book continues with example after example to show how our legal system does not aid the consumer in receiving quality and safety from software, but, in fact, makes the problem worse. Rice does not simply dwell on problems; after strongly establishing his case, he points the way to the changes that need to take place if we, the first generation to be truly dependent on software, are going to prosper. This is an important book. It does not require knowledge of IT or software development to read; every thinking man and woman should read this book and ask, what can I do? Standards, quality, and making incentives achieve the results we want and deserve are key. As the author says, "I believe we have not gone too far down the path to alter course, but we aren't trying hard enough yet." That is the call to action, write your legislator, lobby consumer organizations, do what you can, but advocate rational software. Thank you, David Rice.

1. http://www.newadvent.org/cathen/15704b.htm
2. http://www.amazon.com/Geekonomics-Real-Cost-Insecure-Software/dp/0321477898
3. http://www.privacyrights.org/ar/ChronDataBreaches.htm
4. http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm
5. http://www.aic.gov.au/publications/rpp/31/RPP31-13.pdf