REVIEW: "The History of Information Security", Karl de Leeuw/Jan Bergstra

BKHISCCH.RVW 20081020

"The History of Information Security", Karl de Leeuw/Jan Bergstra,
2007, 978-0-444-51608-4
%E Karl de Leeuw
%E Jan Bergstra
%C 256 Banbury Road, Oxford, OX2 7DH
%D 2007
%G 978-0-444-51608-4
%I Elsevier Advanced Technology
%O +44 865 512242 Fax: +44 865 310981 books.elsevier.com
%O http://www.amazon.com/exec/obidos/ASIN/0444516085/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0444516085/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0444516085/robsladesin03-20
%O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 887 p.
%T "The History of Information Security: A Comprehensive Handbook"

Chapter one, which stands in for an introduction to the papers in this
volume, already notes that the title is inaccurate. The editor admits
that this work is not a history, as such, but an overview from the
perspective of different disciplines related to information security,
taking a historical approach in examining the socio-political shaping
of infosec. The authors ask whether technology influenced public
policy and politics, and look for information security strategies (or
the lack thereof) in politics. I found the selection of references
disquieting, noting that the editor responsible for the choice of
papers complained that there was no historical material addressing
industrial espionage, administrative practices, disruption of
communications with criminal intent, or other areas. No mention is
made, in the references, to the works of Stamp (cf. BKINSCPP.RVW),
Winkler (cf. BKCRPESP.RVW, BKSPAMUS.RVW), or Denning (cf.
BKDENING.RVW) to name just a few.

I can agree with the emphasis on social aspects of security: security
is, and always has been, a people problem. Information security,
however, necessarily involves technology, and the authors of most of
the papers included in this collection have concentrated so much on
history (mostly in the form of dates and political rivalries) that the
questions of influence of technology on politics, or politics on
technology, can't really be analyzed. Additionally, enormous topical
areas relevant to information security (such as risk management,
intrusion detection, cryptographic infrastructure (PKI), physical
security, computer architecture, application development, and malware)
are notable by their absence.

Part one addresses intellectual property. Essay subjects include
various forms of censorship and self-censorship (with no mention of
the "full disclosure" debate), the German patent system, copyright,
and the application of copyright and patent to software.

Part two looks at items related to identity management, with a highly
abstract and impractical philosophy of identity, notes on document
security, a review of identity cards, and a recent history of
biometrics.

Although entitled "Communications Security," part three is about
cryptography. The papers on Renaissance (1400-1650) and Dutch (up to
1800) cryptography, British postal interception up until the 1700s,
the KGB crypto office, and the NSA (US National Security Agency) are
of primarily political interest. The articles on rotor cryptography,
Colossus, and the Hagelin machines have points of curiosity, but are
still very thin on technical details. A final essay attempts a very
terse overview of modern cryptographic concepts.

Computer security is in part four. Early US military evaluation
standards, some of the basic formal information security models, an
academic look at application security and auditing, a rough division
of recent information technology into decade "periods," an equally
unpolished history of Internet security, and a scattered review of
computer crime make up this section.

For some reason questions of privacy and regulations governing the
export of cryptography are seen to fit together in part five. Three
papers present US cryptographic export restrictions, a random and not
completely successful attempt to define privacy, and various US
undertakings at regulating the use of encryption.

Part five can't have been lumped together simply due to a lack of
articles, since part six is a single piece providing a limited and
incomplete overview of information warfare.

As a book this volume is disappointing. It is not "a history," merely
a collection of papers, with little structure or linkage. The topics
relate to security, but a work on infosec should have more technical
content and understanding. It is certainly not comprehensive. And,
at several kilograms in weight, it bears little resemblance to a
handbook.

That said, a number of the essays do provide interesting historical
points, anecdotes, and references. Therefore, those with the stamina
to work through the material may be rewarded with historical nuggets,
and pointers to further sources of information.

copyright Robert M. Slade, 2008 BKHISCCH.RVW 20081020

--
======================

"Dictionary of Information Security," Syngress 1597491152
http://blogs.securiteam.com/index.php/archives/author/p1/
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
Book reviews: [Base URL]mnbk.htm
Review mailing list: send mail to
or

 

Robert Slade About The History Of Information Security: A Review’s Review

Robert Slade is a well respected and well known infosec practitioner who has every right not to like a handbook like the one I edited, if only because -with several kilograms in weight- it cannot pass for a pocket book. In most cases, however I do not regard his criticisms as appropriate or fair.
Slade’s objections can be summarized as follows:
(1) the book does not mention works by Denning, Stamp or Winkler: authors Slade has reviewed previously;
(2) the book omits important topics such as malware, cryptographic infrastructure or physical security;
(3) the book is subdivided randomly and the titles of various parts are misleading;
(4) contributions about topics that are treated, such as privacy or internet security, are “incomplete”, “terse”, “unpolished”, or “scattered”;
(5) the book is more about people than about technology, and, therefore, questions related to the influence of technology on politics or the other way round cannot be analyzed properly;
(6) the book does not offer an historical overview from one, all compassing vantage point

To start with the first item in the list, about not mentioning Denning, Stamp or Winkler. D.E. Denning is mentioned eighteen times, P.J. Denning (her father I believe) is mentioned three times. P.J. Denning is the editor of a very interesting book reviewed by Slade ten years ago, dealing about the future of computer security, not about its past. Stamp and Winkler are authors of excellent “how-to-books”, containing some points of historical interest, but they do not offer any historical narrative. What I had hoped to include, for instance, was a history of I 4: a time honoured institution where large companies have been sharing their experiences with cyber crime and industrial espionage. Without it, the history of information security cannot be written properly. It did not come as a surprise, however, that nobody could be found to write it. The information required, may still affect the share values of the companies involved.
The second statement, about omitting important topics in the industry such as malware, physical security: this is simply not true. Malware is discussed in three contributions: those by DeNardis, by Brenner and by Jacobs and his fellow authors. Physical security is treated by Yost, writing about Tempest and the radiation of cryptomachines; and in contributions about SIGINT establishments where various attempts of burgling embassies are mentioned. Some notes about a cryptographic infrastructure can also be found in my contribution, but it doesn’t affect computers as it is about the 18th century. One of the main points of this book is to show, that current issues in information security can already be found in the era of the electromechanical machines or the era of parchment, ink and feather, albeit under different conditions and different headings. The historian has to deal with the fact that concepts and terms can change over time, as does technology, whereas practices have still much in common.
Now about point three: the way in which the book is subdivided and the misleading titles of its parts. The part about communications security has an appropriate title, as it does not restrict itself to cryptography, or to code breaking for that matter. The contributions about Russian, American, Dutch and British SIGINT agencies, give plenty of examples of the interception of letters or bribing of officials. Nor is the book subdivided arbitrarily. The contributions about privacy- and export regulations in part five are all about law and compliance. They have also in common that they are dealing with government policies, affecting the rights of citizens. The effort to limit the export encryption software by the US government, is as damaging to the privacy of the citizens of Europe, as is the unprecedented and fully legal amassing of data by American enterprise, which can only be curbed by a U.S. government more sensitive to privacy issues than previous ones.
As for the presumed “incompleteness” of certain contributions: it may well be true that ongoing research will reveal new facts or insights, and this exactly how it should be. Science is cumulative. Many topics have still to be investigated or have to be investigated more thoroughly. Demanding that a handbook should only appear after EVERYTHING has been investigated or known, is ridiculous. This is tantamount to saying that handbooks should not be published at all. That being said, I challenge Robert Slade to come up with a better, or more comprehensive piece about the privacy debate in the U.S. and Europe, than the one Jan Holvast has written for this book. The tremendous advantage of his approach is, that it actually relates forty years of history on both sides of the Atlantic in slightly more than thirty pages.
Now about point five, the handbook being too much about people, and not enough about technology. I can and will not deny that people play an important role in the narrative of this book, but I hardly believe that this constitutes a problem. For example, Diffie and Landau, point out that the rise of open software community and the successful evasion of U.S. export regulations by Philip Zimmermann through an appeal on the Fifth Amendment, paved the way for the liberalization of U.S. crypto policies around the turn of the millennium. Laura de Nardis tells us that the whole concept of malware owes its break-through to two people, Morris the father and Morris the son, working at different sides of the law. Jack Copeland pointed to the decisive role played by Thomas Flowers, an engineer at the British Post Office, in the development of Colossus: a role impossible to plan or to anticipate by any of his superiors or colleagues. To these examples many more can be added of exceptionally gifted code breakers who were able to force their way where nobody else could, more often than not acting without the consent of their superiors . One of the strange characteristics of the history of information security, is that so many depend on what is done by so few. This does not mean, however, that technical matters are ignored altogether: on the contrary. The contributions about code breaking during the Second World War, for instance, show which weaknesses of AXIS code traffic had to be exploited in order to achieve success and explain how it was done.
Let me finish with Slade’s complaint about the lack of an overall view of the history of information security. I can understand that such a summary would come in handy for some one who doesn’t want to read separate contributions. But I doubt whether a summary like that can be written at this stage and the scope of the handbook does not demand such a piece to be included. The history of information security is treated from different angles which is exactly how it should be as the approach followed in this handbook is multidisciplinary.