Enhanced descriptions from Syndetics:

Although most people don't give security much attention until their personal or business systems are attacked, this thought-provoking anthology demonstrates that digital security is not only worth thinking about, it's also a fascinating topic. Criminals succeed by exercising enormous creativity, and those defending against them must do the same.



Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:

The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey How social networking, cloud computing, and other popular trends help or hurt our online security How metrics, requirements gathering, design, and law can take security to a higher level The real, little-publicized history of PGP

This book includes contributions from:

Peiter "Mudge" Zatko Jim Stickley Elizabeth Nichols Chenxi Wang Ed Bellis Ben Edelman Phil Zimmermann and Jon Callas Kathy Wang Mark Curphey John McManus James Routh Randy V. Sabett Anton Chuvakin Grant Geyer and Brian Dunphy Peter Wayner Michael Wood and Fernando Francisco

All royalties will be donated to the Internet Engineering Task Force (IETF).

Table of contents provided by Syndetics

• Preface (p. xi)
• 1 Psychological Security Traps (p. 1)
• Learned Helplessness and Naïveté (p. 2)
• Confirmation Traps (p. 10)
• Functional Fixation (p. 14)
• Summary (p. 20)
• 2 Wireless Networking: Fertile Ground for Social Engineering (p. 21)
• Easy Money (p. 22)
• Wireless Gone Wild (p. 28)
• Still, Wireless is the Future (p. 31)
• 3 Beautiful Security Metrics (p. 33)
• Security Metrics by Analogy: Health (p. 34)
• Security Metrics by Example (p. 38)
• Summary (p. 60)
• 4 The Underground Economy of Security Breaches (p. 63)
• The Makeup and Infrastructure of the Cyber Underground (p. 64)
• The Payoff (p. 66)
• How Can We Combat This Growing Underground Economy? (p. 71)
• Summary (p. 72)
• 5 Beautiful Trade: Rethinking E-Commerce Security (p. 73)
• Deconstructing Commerce (p. 74)
• Weak Amelioration Attempts (p. 76)
• E-Commerce Redone: A New Security Model (p. 83)
• The New Model (p. 86)
• 6 Securing Online Advertising: Rustlers and sheriffs in The New Wild West (p. 89)
• Attacks on Users (p. 89)
• Advertisers As Victims (p. 98)
• Creating Accountability in Online Advertising (p. 105)
• 7 The Evolution of PGP's Web of Trust (p. 107)
• PGP and OpenPGP (p. 108)
• Trust, Validity, and Authority (p. 108)
• PGP and Crypto History (p. 116)
• Enhancements to the Original Web of Trust Model (p. 120)
• Interesting Areas for Further Research (p. 128)
• References (p. 129)
• 8 Open Source Honeyclient: Proactive Detection of Client-Side Exploits (p. 131)
• Enter Honeyclients (p. 133)
• Introducing the World's First Open Source Honeyclient (p. 133)
• Second-Generation Honeyclients (p. 135)
• Honeyclient Operational Results (p. 139)
• Analysis of Exploits (p. 141)
• Limitations of the Current Honeyclient Implementation (p. 143)
• Related Work (p. 144)
• The Future of Honeyclients (p. 146)
• 9 Tomorrow's Security Cogs and Levers (p. 147)
• Cloud Computing and Web Services: The Single Machine Is Here (p. 150)
• Connecting People, Process, and Technology: The Potential for Business Process Management (p. 154)
• Social Networking: When People Start Communicating, Big Things Change (p. 158)
• Information Security Economics: Supercrunching and the New Rules of the Grid (p. 162)
• Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All (p. 165)
• Conclusion (p. 168)
• Acknowledgments (p. 169)
• 10 Security By Design (p. 171)
• Metrics with No Meaning (p. 172)
• Time to Market or Time to Quality? (p. 174)
• How a Disciplined System Development Lifecycle Can Help (p. 178)
• Conclusion: Beautiful Security Is an Attribute of Beautiful Systems (p. 181)
• 11 Forcing Firms to Focus: Is Secure Software in Your Future? (p. 183)
• Implicit Requirements Can Still Be Powerful (p. 184)
• How One Firm Came to Demand Secure Software (p. 185)
• Enforcing Security in Off-the-Shelf Software (p. 190)
• Analysis: How to Make the World's Software More Secure (p. 193)
• 12 Oh No, Here Come The Infosecurity Lawyers! (p. 199)
• Culture (p. 200)
• Balance (p. 202)
• Communication (p. 207)
• Doing the Right Thing (p. 211)
• 13 Beautiful Log Handling (p. 213)
• Logs in Security Laws and Standards (p. 213)
• Focus on Logs (p. 214)
• When Logs Are Invaluable (p. 215)
• Challenges with Logs (p. 216)
• Case Study: Behind a Trashed Server (p. 218)
• Future Logging (p. 221)
• Conclusions (p. 223)
• 14 Incident Detection: Finding The Other 68% (p. 225)
• A Common Starting Point (p. 226)
• Improving Detection with Context (p. 228)
• Improving Perspective with Host Logging (p. 232)
• Summary (p. 237)
• 15 Doing Real Work Without Real Data (p. 239)
• How Data Translucency Works (p. 240)
• A Real-Life Example (p. 243)
• Personal Data Stored As a Convenience (p. 244)
• Trade-offs (p. 244)
• Going Deeper (p. 245)
• References (p. 246)
• 16 Casting Spells: PC Security Theater (p. 247)
• Growing Attacks, Defenses in Retreat (p. 248)
• The Illusion Revealed (p. 252)
• Better Practices for Desktop Security (p. 257)
• Conclusion (p. 258)
• Contributors (p. 259)
• Index (p. 269)

Reviews provided by Syndetics

CHOICE Review

Right from the beginning, this book offers a startlingly fresh perspective on the realm of computer security. The contributing authors, ranging from hackers to some of the most influential developers in the realm of information security, each present a topic as deep and interesting as the next. The book challenges the security field and the common understanding of what is possible and what can be trusted. This work is a must for anyone investigating security on a professional or cursory level. Topics include the rise of PGP encryption and shortcomings in the modeling of intelligent agents, as well as what private hackers can achieve. With an intentional and compelling narrative, the text draws readers into the world of keeping secret information secret and the flaws in the conventional approach and mind-set of doing just that. Even for this reviewer with a background in information assurance and security, learning what gets taken for granted and what becomes standard practice by default was an interesting wake-up call. If this book gains a wide readership, it will certainly revolutionize the way people view information and computer security. Summing Up: Highly recommended. Upper-division undergraduates through professionals/practitioners; general readers. T. D. Richardson South University

Author notes provided by Syndetics

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in free software and open source technologies. His work for O'Reilly includes the first books ever published commercially in the United States on Linux, and the 2001 title Peer-to-Peer. His modest programming and system administration skills are mostly self-taught.

John is CTO of the SaaS Business Unit at McAfee, his second stint at McAfee. Previously, he was their Chief Security Architect, after which he founded and served as CEO of Stonewall Software, which focused on making anti-virus technology faster, better and cheaper. John was also the founder of Secure Software (now part of Fortify).



John is author of many security books, including Building Secure Software (Addison-Wesley), Network Security with OpenSSL (O'Reilly), and the forthcoming Myths of Security (O'Reilly). He is responsible for numerous software security tools and is the original author of Mailman, the GNU mailing list manager. He has done extensive standards work in the IEEE and IETF and co-invented GCM, a cryptographic algorithm that NIST has standardized. John is also an active advisor to several security companies, including Fortify and Bit9. He holds a MS and BA from the University of Virginia.