Full Report
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics). I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega’s new book had received and felt i had to chime in. I picked up “the myths of security” (what the computer industry doesn’t want you to know) with hope, because O’Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that “at least, it wont take up space on my bookshelf”. The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn’t a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.
Analysis Summary
# Main Topic
Critique and analysis of John Viega’s book, "The Myths of Security (What the computer industry doesn’t want you to know)," focusing on the author's handling of critical security, privacy, and anonymity concepts.
## Key Points
- The reviewer found the book to be structured poorly, reading like a collection of blog posts or hastily written notes, despite 48 short chapters.
- Heavy self-promotion/advertisement was noted, specifically the excessive use of the trademark "McAfee" (appearing roughly 65 times in the entire text).
- The book exhibits inconsistent arguments, with the author taking opposing sides on security issues in different chapters.
- A specific security stance criticized was dismissing potential mobile phone epidemics, stating it's easier for attackers to target traditional PCs/laptops—a view the reviewer strongly opposes due to the critical data now stored on mobile devices.
- The minimalist treatment of Privacy and Anonymity was particularly concerning (Privacy received <200 words; Anonymity received 166 words).
- The book includes the dismissive privacy stance: "privacy is nice in theory, but if you don’t have anything to hide, what’s the big deal?" and a similar take on anonymity.
## Threat Actors
- **Charlie Miller:** Cited as an example in relation to mobile device risks (implying potential exploitation for data harvesting via SMS).
- **General "Bad Guys":** Mentioned peripherally as those motivated by easier targets (traditional PCs/laptops vs. smartphones).
## TTPs
- **Mobile Exploitation (Implied):** The concern raised against the author's view relates to SMS-based data exfiltration from mobile devices, implying potential social engineering or app compromises.
- **Security Theater:** Mentioned regarding the TSA's approach, suggesting practices that create a feeling of safety without necessarily being effective security.
## Affected Systems
- **Mobile Phones/Smartphones:** Discussed primarily in the context of future attack vectors and the sensitivity of stored personal data.
- **Traditional PCs and Laptops:** Cited by the author as easier targets for financial gain (botnets, etc.).
## Mitigations
- **Privacy Advocacy:** The primary mitigation stance implied by the reviewer is the necessity of advocating for privacy and anonymity even when direct monetization is unproven ("even if you cant sell it").
- **Data Security on Mobile:** The implicit mitigation is recognizing that mobile devices hold critical life data that can be harvested, regardless of botnet potential.
## Conclusion
The report summarizes a highly critical review of Viega's book, suggesting it may misinform decision-makers due to its inconsistent arguments, poor structure, and dismissive treatment of fundamental security concepts like privacy and the evolving risk landscape of mobile computing. The reviewer expresses concern over the book's perceived lack of depth on crucial topics.