Security news that informs and inspires

Decipher Library: Holiday Edition

As the year comes to a close, we hope you will have some well-deserved time off to rest and maybe catch up on some reading. We've asked some of our friends and colleagues to recommend a favorite book, new or old, fiction or non-fiction, to help give you a few good options. Enjoy.

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff

Remember that silly movie line, “if you build it, they will come”? Well it applies in spades when it comes to the erosion of privacy and security in the case of mega corporations like Google, Facebook, and Amazon. Except for it’s more like, “if they build it, they will abuse it regardless of what they say now.” We all know “we are the product” by now. But if you really dig into it, it’s worse than you think. How bad? Well---machine learning algorithms that learn to maximize your eyeball time regardless of how awful you may feel---bad. Read this book. Then despair. --Gary McGraw, Ph.D., author of Software Security, Building Secure Software, and many other books

Skunk Works: A Personal Memoir of My Years at Lockheed, by Ben R. Rich

Skunk Works is worth reading because everyone should see how stealth technology was born, but also because the book contains a number of gems for any organization (or person) wanting to bring new technology into the world. One of the stand-out lessons for me, is seeing how the mighty skunk works, which redefined modern fighter aviation, was not an organization cut free from constraints. At its peak, it was encumbered by almost crippling government bureaucracy. They triumphed despite this. It’s a useful reminder that great technology isn’t created because of open cheque-books and a completely free-hand. Creativity seems to crave constraints and always demands its measure of toil. --Haroon Meer, founder, Thinkst

Infrastructure: The Book of Everything for the Industrial Landscape, by Brian Hayes

If you ever look out at our industrial/urban/rural/transportive/built environment and wonder “what the hell does that do?” then this is the book for you. A field guide for the industrial ephemera of our landscape; from railroads to power plants to power, pit mines, dams, and recycling. It’s 500 pages of explanation of the network of technology that we all take for granted. It’s not just a fascinating look at what it takes to maintain this civilization we’ve constructed around ourselves, it’s also somewhat humbling in the realization of how tenuous and precious it all is. Makes you appreciate those people in the reflective vests keeping it all together for us. --Peter Baker, founding designer, Duo Security

Forward: A Memoir, by Abby Wambach

Wambach's career has so many analogies to the infosec industry, I kept thinking of all the CSO/CISOs I've advised over the years while reading her book. First, I was struck by her evolution from a player to a leader. She spends a great deal of time chronicling how selfish she was as team captain until breaking her leg five days before the Olympic game against China in 2008, when she was forced to re-evaluate her role on the team and what they truly needed from her. For anyone in transitioning from IC to management, the letter Wambach sends her teammates in China is a must-read.

Second analogy that caught my attention was the evolution of Wambach's relationship with validation. For most of her life, she admits she used soccer and her career to fill that void, eventually leading to the erosion of personal relationships and her physical health. But as she matures in her relationships with others, she finds less destructive, more meaningful, and even uplifting sources of validation beyond her career. This book is both a warning and a cause of hope for workaholics and high achievers. --Melanie Ensign, CEO, Discernible Communications

So You Want to Talk About Race, by Ijeoma Oluo Americanah, by Chimamanda Ngozi Adichie Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, by Kim Zetter

I believe information security is fundamentally about how people and organisations work: a social science with a small technical component. I therefore think that reading fiction and non-fiction unrelated to security prepares one better for a security job than we may think.

The relevance in 2020 of So You Want to Talk About Race, Ijeoma Oluo’s book on race and racism in America, is obvious, yet the book is far more than just about that. It is, to put it in security terms, about understanding the threat models of people with less privileges than you have and thus relevant to anyone who wants to understand their fellow human beings.

Chimamanda Ngozi Adichie’s novel Americanah is about love and friendships, but also about cultural differences between Nigeria, Britain and the United States. In doing so, this book too touches on the ever important subjects of race and privilege, while also telling one of the best and most compelling stories I have read in recent years.

And if you really, really insist on reading about security during the holidays, Kim Zetter’s 2014 book on Stuxnet remains an essential read for a good understanding of both the past and the present of infosec. --Martijn Grooten, person working in security

As You Wish: Inconceivable Tales From the Making of the Princess Bride, by Cary Elwes

About 15 years ago, I decided to manufacture a personal holiday tradition in the form of watching The Princess Bride every Christmas. The reasoning for this is simple: it is a flawless film, and making it an annual tradition results in enjoying it (at least) once a year. In a similar holiday spirit, I'll recommend "As You Wish", Cary Elwes' behind-the-scenes collection of anecdotes and interviews with most of the cast and production crew. Even better, treat yourself to the audiobook which has Robin Wright, Wallace Shawn, Ron Howard and many others read their own recollections. All the stories are delightful, but it would still be worthwhile if they only included the chapters where everyone shares their favorite Andre the Giant story. After a year that left many of us feeling mostly dead, pick up "As You Wish" if you'd like a concentrated dose of pure joy. --Zoe Lindsey, security strategist, Duo

Tangled Web, by Michal Zalewski

I recommend Tangled Web to every person interested in AppSec. The book walks readers through the fundamentals of web technology, web browsers, and the associated security concerns. The author details the security weaknesses present in browser technology and how engineers can compensate for those weaknesses. The book also supplies very actionable, pragmatic “cheat sheets” to help engineers secure their applications in each chapter. While browser technology evolved since publishing, the underlying principles of the web and security concerns still remain relevant. Further, the book serves as both a reminder and inspiration for engineers to learn the details of the technology in use and examine the security protections (or lack thereof) in a critical way. --Fredrick Lee, chief security officer, Gusto

Keep Calm and Log On, by Gillian Gus Andrews

My team conducts digital security training, much of it oriented to beginners, and it's hard to name any one book as an "onramp" into these topics. I often think, would I share this with my mom? Often, the answer is no, but I did manage to find one in Keep Calm and Log On. Gus Andrews is exceptional at framing thorny issues around information quality, trust, and digital security, in a friendly and accessible way. Even security professionals may find it affirming and therapeutic. --Dr. Martin Shelton, Principal Researcher at the Freedom of the Press Foundation, conducting user research and overseeing security editorial

Industry of Anonymity: Inside the Business of Cybercrime by Jonathan Lusthaus

A very unique book that is as interesting a read for anyone in the field of security, to investigators and to even to those outside the industry entirely. It is without doubt the most comprehensive study of the communities behind cybercrime that you can find. Lusthaus spent 7 years travelling the world and interviewing dozens of cyber criminals and researchers alike, and despite the thoroughness of the findings it reads like a novel in terms of how quickly the pages go by. It is filled with insights into the psyche, motivations and history of cybercrime and how it differs from culture to culture. No matter what part of the security industry you might sit on, it always helps to better understand the attacker mindset. Finally I guarantee that even the most experienced in this area will find themselves pausing for a “huh, did not think of that before” at least once per chapter. Everyone I’ve recommended it to so far has gone on to recommend it to others, so go grab a copy now, and you can join in on this fantastic knowledge sharing pyramid scheme! You most certainly won’t regret it. --Robert McArdle, director of the Forward Looking Threat Research team at Trend Micro

Scrum: The Art of Doing Twice the Work in Half the Time, by Jeffrey Victor Sutherland Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, by Kim Zetter

As an avid reader, it was hard to pick just two books that have stood out to me most over the years. In terms of program management and team building, ‘Scrum’, is a must read. It explores how the revolutionary approach to software development can help your organization optimize work processes and workflows. A page turner for the DevSecOps enthusiast. Countdown to Zero Day is another one of my personal favorites. The book exploring the 2010 Iranian Stuxnet attacks reads like a modern day Jason Bourne story, but with the cybersecurity implications akin to a new kind of warfare that has been on the rise in recent years. Stuxnet was the most sophisticated digital attack of its kind - and Kim tells the story impeccably.--Yassir Abousselham, CISO of Splunk

Dealers of Lightning: Xerox PARC and the Dawn of the Computer Age, by Michael Hiltzik

If you want to understand the true nature of the hacker mindset, Michael Hiltzik's painstaking account of the early days of Silicon Valley and the birth of PARC is invaluable. The legendary Palo Alto Research Center began in 1970 and functioned as a skunk works for Xerox, a company that was not necessarily known for agility and speed at the time. PARC was responsible for creating or helping to develop many of the technologies that became core components of PCs and other devices: the GUI, Ethernet, the mouse, a WYSIWYG text editor. The small but incredibly talented and driven group at PARC moved fast, broke things, and helped lay the groundwork for the technology industry as we know it today, for better and for worse. Sadly, Xerox didn't capitalize on many of the innovations developed at PARC, much to the annoyance of the engineers who saw the revolution that was coming. Hiltzik chronicles it all, the good, the bad, and the ugly, in a driving narrative that keeps the suspense intact, even when you know the ultimate outcome. --Dennis Fisher

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, by Ben Buchanan

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics delves into the fascinating world of hackers and states that support and finance them through an international relations lens. Many countries now engage in hacking in the pursuit of their national interests and geopolitics is key to understanding the methods, targets, and motivations underlying those activities. Based on in-depth interviews, declassified files, and forensic analysis of company reports, The Hacker and the State looks at how cyberattacks are used for espionage, sabotage, and for destabilization activities. As reading material, it is extremely hefty (and a bit overwhelming). On a less grand scale, I like The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value. This isn’t a technical nuts-to-bolts book, but one that outlines ideas on how to think about how data is collected and used in a way that enterprises can adapt to their specific circumstances. Privacy is often framed in terms of good and evil—companies that “care” and companies that don’t—that it is refreshing to see how engineering principles can be applied to how personal information is protected.——Fahmida Y Rashid