Book written by Paul van Oorschot

Book review by Ben Rothke

Bottom Line

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

Review

Speak to some of the world's greatest cryptographers, who can tell you stories of being stopped at a conference by someone who wanted them to look at a new and unbreakable algorithm they created. 

One of the most famous incidents was when Phil Zimmerman, creator of Pretty Good Privacy (PGP), met legendary cryptographers Eli Biham and Adi Shamir (the S in RSA) and showed them his algorithm called Bass-O-Matic.

It took Biham only a few minutes to find some fundamental flaws in Bass-O-Matic. Some of the flaws were weaknesses that made the algorithm susceptible to differential cryptanalysis, an area of Biham's expertise. He also found more profound fundamental errors that completely undermined the algorithm's efficacy. By the time Biham and Shamir finished their lunch, Bass-O-Matic was a lost cause. 

Encryption and cryptography are some of the most fundamental aspects of information security. In Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin, author Paul van Oorschot has written a highly detailed and technical guide to help the reader with fundamental encryption concepts and other areas essential to information security. 

van Oorschot is a writer well suited for the task, as he is an expert cryptographer and a professor of computer science at Carleton University in Ottawa, Ontario (a note to Americans, Carleton University is not Carleton College, which is in Minnesota). 

Early in the book, van Oorschot details 20 design principles for information security. The ensuing chapters detail how to put those design principles into play. This is not a trivial endeavor, as effective security does not exist in a vacuum. With cloud computing and cheap on-premises hardware, it is extremely easy to deploy new systems quickly. However, if those systems do not follow those 20 design principles for information security, they are deployed in an insecure state. 

From a cryptography perspective, the book is not meant for a reader with a Ph.D. in applied cryptography, and while highly technical, it is still very much readable. The book also does not have endless pages of source code that can be irrelevant to readers without a background in software development.

If a book wanted to cover everything about information security, it would be about 3,500 pages long. Furthermore, that is without indexes. At over 400 pages, the book covers all of the core areas of information security. Moreover, what it sacrifices in depth, it makes up for in breadth. 

Some of the core design principles he details include open design, isolated components, database validations, and more. These are core considerations that are often not considered and, worse, ignored. Any organization that takes this list of 20 design principles to heart will undoubtedly have better security controls to show for it.

Even with those design principles, the book provided a chapter on why computer security is hard. van Oorschot observes, as Andrew Stewart wrote in Canon candidate A Vulnerable System: The History of Information Security in the Computer Age, that many of today's fundamental problems in computer security remain from decades ago, despite massive changes in computer hardware, software, applications, and environments. He lists 20 detailed reasons why this is the case.

And it is worth noting that the 20 are but a partial list. Security professionals should not be depressed by this, and more than an oncologist would be depressed in their profession by high morbidity rates. But those 20 reasons can be seen as opportunities for improvement. 

Conclusion

The bottom line is that computer security is not simple, is fraught with challenges, and includes many difficulties on the road. Nevertheless, with all that, it is a fascinating and challenging career and an essential imperative to ensure secure computing.

Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin is an excellent book and a worthy Canon candidate. The information is fundamental to information security. Those who put this into play in their networks will find them much less buggy and vulnerable.

We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except it’s a canon for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!