A richer understanding of what's already understood. Reading "Time Based Security" by Winn Schwartau.
What to read if you want to know more about security.
Technology books don't normally maintain long shelf lives. By the time a book meanders from an author's fingers through editing and the print process, what was true at the start of the process is often stale news by the time the book is for sale.
Take for instance Whitfield Diffie (yes, that Diffie) and Susan Landau's (and that Landau) Privacy on the Line: The Politics of Wiretapping and Encryption, a true classic of privacy technology. It was written in 1998 and updated again in 2007. It's hard to briefly explain how surveillance changed from 1998 to 2007, and utterly beyond my small brain to summarize the leap from 2007 to today. The section on "Identity and Anonymity in the New World" (p. 271) paints a surveillance environment utterly tame compared to the realities of 2021. It's still worth reading that classic, but the vicious arms race between surveillance and those who mitigate against it changes at breakneck speeds, especially since revenue and domestic conflicts started driving the war.
Another case in point relevant for those in privacy-enhancing technology land. Many years ago, I was conducting a privacy technology workshops for a particularly targeted group outside the US. The conversations touched on PGP and its open-source implementation GnuPG. I mentioned a book PGP & GPG by Michael W. Lucas published only a few years earlier in 2006. Back home, I pinged Bill at No Starch Press that published MWL’s book and asked about plans for an upcoming re-editions, or even the possibility of translating to other languages. Bill and MWL both laughed, since with a year or two of the book’s release, it was stale. Bill offered me a stack of books for free, just to clear up warehouse space.
The book now resides on MWL’s web site on a page entitled Obsolete and Nonexistent Titles. Also included on that page is the first edition of a book I was one of the technical reviewers for, SSH Mastery.
But there are the classics that never lose their relevance,. Think "K&R", Brian Kernighan and Dennis Ritchie's The C Programming Language. Originally written in 1978, Prentice Hall can still charge USD$60 for it. The core principles of UNIX really haven't changed significantly, at least for some of us, and UNIX and C continue to be relevant in infrastructures and code bases.
There is another book several decades old which I regularly refer to as non-perishable as a Twinkie, Winn Schwartau's Time Based Security (TBS) published by Interpact Press in 1999.
My heavily dog-eared copy has traveled on planes, trains and automobiles for two reasons.
First, it's a small book and easy to toss into a bag last minute before a trip.
Second, a book that effectively teaches threat modeling keeps giving and giving, way past its publication date. Threat modeling is about method, and concrete applications in new scenarios is always possible.
Yes, examples in a book from 1999 will seem dated, but the methods carry on.
The core idea of TBS is this:
When designing security systems, whether physical or digital, protection measures need to last long enough for breaches to be detected and for some reaction to occur.
Yes, that's it. As a short cut, think about the basic equation:
Protection (P) needs to be greater than the sum of Detection (D) and Reaction (R).
P > D + R
But what does it all mean?
All security systems can ultimately be compromised. It’s not whether they can be compromised, it’s when. There is no perfect, eternal perimeter security.
All fences and walls can be breached in time, even with a delicate geologist's hammer. Anyone who has seen Shawshank Redemption knows that.
But security systems don't normally just rely on protection (P). The other two parts are vital: detection (D) and reaction (R).
Schwartau uses the example of a bank vault. With enough resources and time, all bank vaults are breachable. It's the alarm systems and response from security staff that makes successful bank vault breachers a small elite bunch.
Imagine breaking into a vault on Manhattan's 5th Avenue. It can be done, but mitigating detection and reaction make it very difficult. As soon as you pull up the heavy machinery and park on the sidewalk, it's hard to avoid being detected. If the bank vault can hold out long enough for the breach to be detected and for security to show up, some people are going spend some hard time upstate.
It's not hard to apply P > D +R to digital security.
Consider a firewall. Some still rely firewalls to "just protect" them. But a critical feature is logging suspicious traffic, then being notified in the event of an issue.
To be clear, not everyone pours so much praise on TBS.
A old cohort of mine from the *BSD community Richard Beitjlich of TaoSecurity Blog reviewed TBS in 2008, and only gave it a three of five star review.
The list of timeless books in technology, and especially security, is short. TBS may not be around as long as, say, Helen Fouche Gaines’ Cryptanalysis which was first published 82 years ago in 1939, but it remains useful 22 years later. Of course breaking the algorithms of classical cryptography ages well, so not a fair comparison.
There's no single must-read book in security, but I think it's possible that TBS should be on any top ten list.
George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
ClearOPS offers knowledge management for privacy and security data that is turned into information that can be used to respond to security questionnaires and conduct vendor monitoring. Do you know who your vendors are?