Stewart has written an easy-to-read history of computer security. I consider myself to be very familiar with this topic, having taught security for over a decade, but Stewart's approach is both less technical and more complete than any class I ever taught. If I found myself disagreeing with something he had written, I could easily follow-up by checking the references Stewart has provided--all sixty-six pages of 'Notes' at the back of the book. Many of the notes come from conference papers as well as ;login: articles and interviews, so long time readers of ;login: may find some of the information familiar.
Stewart begins by pointing out the three 'stigmata' of information security: data breaches, nation state hacking, and epistemic closure. Epistemic closure means a group has retreated from reality into a make-believe world. In this case, what Stewart means is that dealing with symptoms will not fix the causes of insecurity, and that the latest fad in security products won't solve the problem either.
The bulk of the book really is about history: how we got to where we are today. Stewart starts with DoD researchers attempting to duplicate the security controls used with paper documents, something that eventually turns into the NSA's Orange book. While systems designed to fit into Orange book categories were designed, the process of certifying those designs took so long that they were obsolete long before the systems could ever be used.
He next tackles the beginning of the Internet and the wild growth spurt of the nineties. Among the faults endemic in this era are systems designed to be easy to use and as a result, easy to hack. Stewart's writing is full of stories about the spectacular hacks of the 90s and noughts, and I enjoyed reviewing memories of these events.
Stewart praises Bill Gates for his decision to suspend development in 2002 until MS programmers took the time to learn secure programming practices with a four hour class. The Security Development Lifecycle has certainly helped not just Microsoft but countless other companies who likely have been at least influenced by this work. But it's obvious that reading a book about SDL or taking a four hour class is not enough. Among other things, many companies already have millions of man-years of software developed that form the basis for their success, and they are not going to get tossed and replaced with a fresh start. MS has this problem even to this day, leading to security vulnerabilities. This is a bit of 'history' not covered in the book, but certainly a large part of why systems are still so vulnerable today.
Stewart continues his marvelous story telling, covering human weaknesses, perhaps the most reliable way of gaining access to networks, then to massive data breaches. He expresses his ire about stunt hacking, for example, attempting to hack a passenger jet's control system while in flight, then bragging about it. I certainly agree with Stewart.
Where we do part ways is the effects of vulnerability disclosure. Stewart considers this a terrible idea, while I believe that holding companies' feet to the fire of publicity has often been the only way to get them to do any work at improving the security of their software.
Altogether, I consider this book very much worth reading. I found myself reading Stewart's book as a break from much more technical reading, as the book is entertaining as well as informative.
