The Myths of Security
Author: John Viega

Publisher: O'Reilly, 2009
Pages: 260
ISBN: 978-0596523022
Aimed at: IT Professionals
Rating: 3
Pros: Strong views conveyed with conviction
Cons: Short on answers and practical advice
Reviewed by: Harry Fairhead

This book mostly reads like a blog on random topics. It is composed of fourty-eight short chapters and if you know anything much about security it's short on content. Most of the topics also read like rants without any real evidence to back them up. The focus is also mostly on consumer security rather than enterprise.

Topics include identity theft, virus, malware, mobile phone, etc… Many of the chapters are only two or three pages in length and make one tiny point. For example, VPNs make things less secure because they allow a user to connect their home machine to the corporate network and their home machine might be infected. The solution is to find other ways for the user to gain access to the same information without using a VPN - use web mail rather than POP3/SMTP.

Many of the chapters are about issues that at the end of the day you can do nothing about. For example, the PKI is broken because it's easy to get around the principle of trust and issue certificates. True enough but what can you do about it? The same is true of the chapter on why HTTPS is broken and "is there anything we can do about identity theft" - yes, but not at the level of the single user we need major changes.

Then there are some strange rants, including ones on Captcha, locks and mobile phones, that just make you wonder why they have been included. Chapter 7, "Google is Evil" is particularly puzzling because it is about the way pay-per-click advertising encourages people to defraud Google and the advertiser - why this makes Google evil and what it has to do with the wider issue of security is a mystery.

If you want to read a book that tells you something about security that you could use to make your machine or network more secure you need to look elsewhere. If you want a collection of blog rants on topics that are sometimes vaguely connected to the security industry you might find it fun - but it would still be better as a blog.

Last Updated ( Wednesday, 16 September 2009 )