Discussion in 'Computer Security' started by, Feb 24, 2009.

  1. Robert Slade is a well respected and well known infosec practitioner
    who has every right not to like a handbook like the one I edited, if
    only because -with several kilograms in weight- it cannot pass for a
    pocket book. In most cases, however I do not regard his criticisms as
    appropriate or fair.
    Slade’s objections can be summarized as follows:
    (1) the book does not mention works by Denning, Stamp or Winkler:
    authors Slade has reviewed previously;
    (2) the book omits important topics such as malware, cryptographic
    infrastructure or physical security;
    (3) the book is subdivided randomly and the titles of various parts
    are misleading;
    (4) contributions about topics that are treated, such as privacy or
    internet security, are “incomplete”, “terse”, “unpolished”, or
    (5) the book is more about people than about technology, and,
    therefore, questions related to the influence of technology on
    politics or the other way round cannot be analyzed properly;
    (6) the book does not offer an historical overview from one, all
    compassing vantage point

    To start with the first item in the list, about not mentioning
    Denning, Stamp or Winkler. D.E. Denning is mentioned eighteen times,
    P.J. Denning (her father I believe) is mentioned three times. P.J.
    Denning is the editor of a very interesting book reviewed by Slade ten
    years ago, dealing about the future of computer security, not about
    its past. Stamp and Winkler are authors of excellent “how-to-books”,
    containing some points of historical interest, but they do not offer
    any historical narrative. What I had hoped to include, for instance,
    was a history of I 4: a time honoured institution where large
    companies have been sharing their experiences with cyber crime and
    industrial espionage. Without it, the history of information security
    cannot be written properly. It did not come as a surprise, however,
    that nobody could be found to write it. The information required, may
    still affect the share values of the companies involved.
    The second statement, about omitting important topics in the industry
    such as malware, physical security: this is simply not true. Malware
    is discussed in three contributions: those by DeNardis, by Brenner and
    by Jacobs and his fellow authors. Physical security is treated by
    Yost, writing about Tempest and the radiation of cryptomachines; and
    in contributions about SIGINT establishments where various attempts of
    burgling embassies are mentioned. Some notes about a cryptographic
    infrastructure can also be found in my contribution, but it doesn’t
    affect computers as it is about the 18th century. One of the main
    points of this book is to show, that current issues in information
    security can already be found in the era of the electromechanical
    machines or the era of parchment, ink and feather, albeit under
    different conditions and different headings. The historian has to deal
    with the fact that concepts and terms can change over time, as does
    technology, whereas practices have still much in common.
    Now about point three: the way in which the book is subdivided and the
    misleading titles of its parts. The part about communications security
    has an appropriate title, as it does not restrict itself to
    cryptography, or to code breaking for that matter. The contributions
    about Russian, American, Dutch and British SIGINT agencies, give
    plenty of examples of the interception of letters or bribing of
    officials. Nor is the book subdivided arbitrarily. The contributions
    about privacy- and export regulations in part five are all about law
    and compliance. They have also in common that they are dealing with
    government policies, affecting the rights of citizens. The effort to
    limit the export encryption software by the US government, is as
    damaging to the privacy of the citizens of Europe, as is the
    unprecedented and fully legal amassing of data by American enterprise,
    which can only be curbed by a U.S. government more sensitive to
    privacy issues than previous ones.
    As for the presumed “incompleteness” of certain contributions: it may
    well be true that ongoing research will reveal new facts or insights,
    and this exactly how it should be. Science is cumulative. Many topics
    have still to be investigated or have to be investigated more
    thoroughly. Demanding that a handbook should only appear after
    EVERYTHING has been investigated or known, is ridiculous. This is
    tantamount to saying that handbooks should not be published at all.
    That being said, I challenge Robert Slade to come up with a better, or
    more comprehensive piece about the privacy debate in the U.S. and
    Europe, than the one Jan Holvast has written for this book. The
    tremendous advantage of his approach is, that it actually relates
    forty years of history on both sides of the Atlantic in slightly more
    than thirty pages.
    Now about point five, the handbook being too much about people, and
    not enough about technology. I can and will not deny that people play
    an important role in the narrative of this book, but I hardly believe
    that this constitutes a problem. For example, Diffie and Landau, point
    out that the rise of open software community and the successful
    evasion of U.S. export regulations by Philip Zimmermann through an
    appeal on the Fifth Amendment, paved the way for the liberalization of
    U.S. crypto policies around the turn of the millennium. Laura de
    Nardis tells us that the whole concept of malware owes its break-
    through to two people, Morris the father and Morris the son, working
    at different sides of the law. Jack Copeland pointed to the decisive
    role played by Thomas Flowers, an engineer at the British Post Office,
    in the development of Colossus: a role impossible to plan or to
    anticipate by any of his superiors or colleagues. To these examples
    many more can be added of exceptionally gifted code breakers who were
    able to force their way where nobody else could, more often than not
    acting without the consent of their superiors . One of the strange
    characteristics of the history of information security, is that so
    many depend on what is done by so few. This does not mean, however,
    that technical matters are ignored altogether: on the contrary. The
    contributions about code breaking during the Second World War, for
    instance, show which weaknesses of AXIS code traffic had to be
    exploited in order to achieve success and explain how it was done.
    Let me finish with Slade’s complaint about the lack of an overall view
    of the history of information security. I can understand that such a
    summary would come in handy for some one who doesn’t want to read
    separate contributions. But I doubt whether a summary like that can be
    written at this stage and the scope of the handbook does not demand
    such a piece to be included. The history of information security is
    treated from different angles which is exactly how it should be as the
    approach followed in this handbook is multidisciplinary.
, Feb 24, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.