Book review: Amusing Ourselves to Death

This is a tricky review to write because I’m having a very bad time finishing this book. Indeed, while it did start well, and I was actually interested in the idea behind the book, it easily got nasty, in my mind. But let’s start from the top, and let me try to write a review of a book I’m not sure I’ll be able to finish without feeling ill.

I found the book, Amusing Ourselves to Death, through a blog post in one of the Planets I follow, and I found the premise extremely interesting: has the coming of the show business era meant that people are so much submersed by entertainment to lose sight of the significance of news? Unfortunately, as I said the book itself, to me, does not make the point properly, as it exaggerates to the point of no return. While the book has been written in 1985 – which means it has no way to know the way the Web changed media once again – it is proposed to be still relevant today in the introduction as written by the son of the author. I find that proposition unrealistic. It goes as far as stating that most of the students the book was told to read agreed with it — I would venture a guess that most of them didn’t want to disagree with their teacher.

First of all, the author is a typography snob and that can be easily seen when he spends pages and pages telling all the nice things about printed word — at the same time, taking slights at the previous “media” of spoken word. But while I do agree with one of the big points in the book (the fact that different forms makes discourse “change” — after all, my blog posts have a different tone from Autotools Mythbuster, and from my LWN articles), I do not think that a different tone makes for a more or less “validity” of it. Indeed this is why I find it extremely absurd that, for Wikipedia, I’m unreliable when writing on this blog, but I’m perfectly reliable the moment I write Autotools Mythbuster.

Now, if you were to take the first half of the book and title it something like “History of the printed word in early American history”, it would be a very good and enlightening read. It helps a lot to frame into context the history of America especially compared to Europe — I’m not much of an expert in history, but it’s interesting to note how in America, the religious organisations themselves sponsored literacy, while in Europe, Catholicism tried their best to keep people within the confines of illiteracy.

Unfortunately, he then starts with telling how evil the telegraph was by bringing in news from remote places, that people, in the author’s opinion, have no interest in, and should have no right to know… and the same kind of evilness is pointed out in photography (including the idea that photography has no context because there is no way to take a photograph out of context… which is utterly false, as many of us have seen during the reporting of recent wars. Okay, it’s all gotten much easier thanks to Photoshop, but in no way it was impossible in the ‘80s.

Honestly, while I can understand having a foregone conclusion in mind, after explaining how people changed the way they speak with the advent of TV, no longer caring about syntax frills and similar, trying to say that in TV the messages are drown in a bunch of irrelevant frills is … a bit senseless. The same way it is senseless to me to say that typography is “pure message” — without even acknowledging that presentation is an issue for typography as much as TV, after all we wouldn’t have font designers otherwise.

While some things are definitely interesting to read – like the note about the use of pamphlet in the early American history that can easily compare to blogs today – the book itself is a bust, because there is no premise of objectivity, it’s just a long text to find reasons to reach the conclusion the author already had in mind… and that’s not what I like to read.

Hopefully it’ll go better with my next read.

Book Review: Trojan Horse

Last month I reviewed Zero Day this month I’m reviewing the sequel, still from Mark Russinovich … and you’ll soon notice I’m quite disappointed. The first book had a number of negative sides, but it was acceptable if you think it a “the first book of an author” — this book, I find it worse than the first one, which makes it even worse considering it’s not the first one! Once again spoilers might follow, especially for the book before this! Actually, there aren’t many spoilers, especially if you read the first one and you’re expecting nothing exceedingly new from this.

So first the good news: no textspeak this time! Yai! Too bad it hasn’t written this way from the start, but okay. Also this time the author admits that there are other platforms beside Windows, repeatedly name-checking (a vulnerability in) Android. That’s about it for good news. The bad characterization of characters and stereotypes is more or less the same, although he seems to have added the straw dissident to please the critiques. That’s not how it works. Especially because said dissident and his brother (again) meet in a tent (again) in the desert. Are you kidding me?

Goes especially into head-scratch territory when he repeats again that Muslims have to be terrorists, and that’s unlikely for an Iranian to be one if he’s not practising or when he notes that “Armenians were Christians, hardly likely to be terrorists”. Somebody got to make Russinovich read about the IRAs just so he stops giving this kind of stereotypes continuity. At least this time the damsel in distress is a bit less useless, but still she is in distress (more so than Rapunzel in Tangled, to give you an idea).

But that’s not the worst problem this time; now the problem is that for somebody that is in our line of business, or who has at least half a clue about technology, the WTF count is quite high. I have for the first time used Kindle’s note-taking options thoroughly through the book to be able to point out some of these because they are extremely bothersome even for a not-so-picky reader like me.

First problem: repetitions. In TV-series and made-for-TV movies, it’s extremely common for plot points to be repeated over and over ad nauseam; this is by design: before Netflix, Hulu, Amazon Prime and so on, most people tuned-in in the middle of an episode and they might not have had any clue about what was going on before. In a book, this doesn’t make the same amount of sense — it makes a sense if backstories and backgrounds are repeated from previous books, but once per book is enough. Going on for the first quarter of the book about how the protagonist foiled a terrorist plot in the book before doesn’t help, nor does repeating the fact that the “air gap” has been breached thanks to “an Android vulnerability”.

On a smaller scale, the first 50 pages of the book repeat “Al Qaeda” at least a dozen times. And on a stylistic note instead, he keep using “all but *something*” forms in the book, even in words of people who shouldn’t be speaking English to begin with — you can accept the “autotranslation”, but that kind of form is hard to use for a non-native speaker to begin with, and at least for latin-based languages it’s extremely hard to translate.

Speaking about foreign languages I guess Italian is not high in Russinovich’s knowledge; he puts one of the characters within a (as far as I can tell) fictional organization which would be the “Iranian Democratic Front” based in Italy, but he gives it a Spanish name (“Frente Democrático Iraniano”). Interestingly enough it was almost correct, as the Italian name in that case should have been “Fronte Democratico Iraniano”. Oh well, I guess geography’s or foreign languages are his best subjects.

Then there are some cringeworthy but still possibly references all over the place, like a couple of places where auto-capitalisation probably burnt the author and nobody caught it before, such as “the Intel sat” (as in satellite). That’s okay, it can happen. There’s also a note about being able to “search the Internet” on board of an intercontinental flight (I know some airlines have that in business class, but is that an “in your face, I’m actually flying business class”, or simply a missed point?), or the fact that the Swiss-Italian border controls scans all incoming passports for images “making a copy of the page” (it’s possibly but I find that extremely unlikely…).

But the big WTFs come up in many places as well:

  • in Russinovich’s fantasy land, mIRC is “an encrypted chatting program” (verbatim, I swear, I’m not making this shit up!), used by the DOD, although “modified [the code] to require both public and private key codes between parties” — now if you’ve not spent time on Windows in the past … 20 years or so, mIRC is a very common at a time IRC client… the author of which, while British, happens to be of Palestinian and Syrian origins; while I’m not putting all people of middle-eastern origin in the same category as the book’s author, I find it extremely difficult for the US DoD to get the sources of, modify and use a client written by a non-american author, especially for secure communication!
  • oh, by the way, nice way to feel secure “Digital signatures could not be altered. Period.” (verbatim quote); yes because attacks to digital signatures are unheard of, right? I can understand that you can strongly trust a strong digital signature, but a stupid blanket statement like that is more trouble than it’s worth!
  • somehow, while Windows and Android are named clearly and accurately, in the parallel universe of the book, Microsoft merged Office and Works in “Microsoft OfficeWorks”; you could have called this a “bland name”, if it wasn’t insisting on the name OfficeWorks so many frigging times over the first half of the book. Was it a problem with actually giving in at the chance that the vulnerability might have been in Microsoft Office itself? If yes, why does he still say it out loud for Android, instead of having the vulnerability in the Robotic cellphone OS?
  • also for whatever reason instead of “software”, “malware”, “source code” … his (expert) characters are expecting “cyber code” to appear. What?
  • two cellphones models are called by name on the book, both of them from HTC: the Hero and the Galaxy — you probably never heard of the latter because it’s a very old (2005ish) Windows Mobile 5.0-based phone; for whatever reason this not really noteworthy device (it doesn’t even have a page on Wikipedia!) is the preferred of the (again, expert!) protagonist. The other one, which tended to be fairly unlocked, in their European GSM format, when not tied to a specific operator, in this universe need to be “jail-broken” to be able to “acquire any apps [..] from anywhere”.. what? On Android it’s just a matter of changing one parameter, you know…
  • at least it seems like the in that world, libav’s TDD (Troll-Driven Development) seems to have taken foot into the world, as (once again the protagonist) “trolls the websites” when looking for a new car to buy…

There are a few more minor WTFs in my list but now that I listed the major ones, the others seem like chump change, so I won’t bother.

So at the end of the review, I’d say that this second book is less interesting, more boring, and way less suitable for a technical audience. The ongoing “fight” is a very insipid spy-vs-spy idea, there are “cuts” to CIA offices where nothing happens of substance, and all in all it’s not that thrilling. Save your money, it’s way not worth it.

Edit: but if it wasn’t clear, I am going to buy an eventual third book, hopeful that third time’s a charm. Russinovich knows how to write, he just need to find a better balance between technicalities and technofantasy.

Book Review: Zero Day

Zero Day has been an interesting read. First of all, this is of yet another computer guy turned author (Patricia Cornwell and Jim Butcher being two more) — the guy works for Microsoft, of all companies! And honestly, it shows. While the book is not written bad at all, it paints an even worse world than reality is, by having everything based off Windows, including very critical systems…

So how do you categorize this book? I guess you have to call it cyberthriller, although it has very little cyber in it; it takes place in present time, in a not-so-improbable situation if, as I said above, Windows is the only possible operating system out there. You can easily guess from the title and blurb that this relates to a computer virus infection that goes to have damage, which is something that other books try to warn us about. As you’re reading my blog, I expect you to know better than to think that Windows is the only operating system out there and that it’s suitable, for example for avionics.

So while the story is interesting, it has quite a few pitfalls. The first thing I’d complain about is that the author abuses textspeak! I can sort-of understand (but not really accept happily) the stereotypical textspeak among “crackers” and wannabes, but even among high-level IT professionals? Really?! And the same professional who has to be told what l33t5p34k is?!? Honestly it’s painful to have to read through a page fitted with textspeak, and it’s almost as much painful to find that the author still thinks that people speak over ICQ … that’s so ‘98 (and for those who don’t think 1998 isn’t far away enough, it’s 14 years ago.. where were you at the time?).

But, spoiler alert!

Spoiler follows.

Okay you’ve been warned.

The worst problem with the book, though, is the bad stereotypes embedded into its story. The girls in the IT world who’re not up to the job and need to call the main hero for help … one of which is actually said to sleep with her boss to move up with her career (while I can think of a few people who have been doing that, which make it realistic enough, do you really want to spend half a book with such a character, especially given the kind of social turmoil the IT world is in, in the past few years?)… The Russians who can’t stay on the right side of the law for more than a couple of pages… The evil muslim extremists who seek nothing but the destruction of the West, …

Before somebody takes offense about my words, I’ll be quick to point out that I’m an atheist and I don’t really care whether you believe in something or not, and even less I care about what you believe. So please.

Will I read the next book – Trojan Horse – almost certainly yes. I’ve learnt never to judge a whole series from the first book, especially for new authors. But honestly the book I’ll wait for will come out in November, not September, and it’s the new Dresden Files book, Cold Days… which happen to be out the day before my birthday — I’ll go the extra step and pay the full price for the Kindle edition, I don’t want to wait!

Book (short) Review: Open Advice

Open Advice is a collection of essays edited by Lydia Pintscher which me and Luca (and the rest of the libav trolls developers) have heard of at last FOSDEM. I’ve downloaded it directly I came home, but I forgot about it as I was finishing the other books first… I remembered about it when I noticed I had it already on the Kindle, and then finally got a hold of reading it last week. I was actually hoping to write this review earlier but work came first (is it Friday already? Gee!).

Honestly, considering I didn’t catch the whole presentation at FOSDEM, I was expecting a more “community oriented” book, knowing Lydia, but instead I was (pleasantly) surprised that it encompass a much wider range of issues, all with the common thread of things well-known and well-placed developers would have liked to know when they started.

While for most people who have been involved for a long enough time there isn’t much new to know for, it’s helpful to remind yourself that people are not born with the knowledge, and to contribute properly to a project, they need to know what the “proper” way are. I think this is the kind of book that LUGs should keep around for the newcomers, and that they should suggest when people want to take a more proactive role.

Out of all the essays of the various authors, the only one I couldn’t finish reading, because I was disagreeing with what seemed to be the main point of the topic, was Jono Bacon’s — and you can probably guess, why, if you’ve read it already.

I’m not sure if I can say much more, beside suggesting everybody to take a read to it, whether they are developers, contributors, users or just are interested in trying to take a few more steps into our world.

Book Review: Autotools by John Calcote

You probably know how I feel about Autotools books given I actually wanted to write one, was mostly rejected, and ended up working on spare time on Autotools Mythbuster — which I really should write more on. Definitely the “Autobook” needed a rehash, that was obvious. The spot was taken not by me but instead by John Calcote, with his Autotools: A Practical Guide To GNU Autoconf, Automake, And Libtool — okay I’m a bit envious of that, but not excessively.

At any rate, No Starch Press has been tremendously kind and offered me a review copy – I did contact them to propose my guide as a book, and they did tell me they had a book already in the works.. John’s – which I accepted gladly. I actually hoped to post the review much sooner, but between job tasks, and Gentoo messes, time was a rare commodity. And to be honest, it felt a lot like reading a textbook when you know already the subject. Don’t get my tone wrong. I find John’s work very stimulating: for a newcomer to the world of build systems, it definitely goes in much deeper detail than most documents I’ve seen before; he also does something that I strive for myself: described all the related topics: make, autoconf, automake and libtool, plus a number of related, but not directly-involved, topics.

For instance, he goes into two important topics that I have only written about in the blog up until now — Position Independent Code and library versioning — and then provides a whole chapter dedicated to tip and tricks, not only tied to Autotools. Some of the tricks were new also to me, and I’ve been floating in this topic for the best part of the past seven years (even before I joined as a Gentoo developer). Some further insights also show that he’s not tied to the Unix world itself, which is always a positive thing, as a lot of time we self-validate ourselves and can’t think outside that limited box.

Given these properties, I couldn’t find any reason not to list it on the further readings section of my own guide.

I could stop here with the review, and possibly make John and No Starch pretty happy, but I’d feel like I “sold” myself for the hope to actually keep a good contact with them as a publisher. But it wouldn’t be right for them either; I owe them my full opinion. Thus, I have now to move a few personal grudges I have with John’s approach, without reducing the sheer importance that this book has for all of us developers of Free Software that work with autotools daily: he stuck too much with the point of view of the Autotools’ upstream maintainers.

Don’t get me wrong, it’s obvious that diverting from the authors’ intention for any kind of software is bad, but I have fiercly criticized them before about their failure to get to agree to what should be used together. They insist that autoconf and libtool can be used standalone, without automake at all, they provide a number of support macros, but not all those you’d be expecting them to, and so on so forth. All these things actually make me pretty sad, and that’s why I’m trying my best on my text to actually write of a complete build system, using all three of them, plus pkg-config, which John mentions just in passing in the book, and that, as usual I’ll add, feels like a bastard child of the rest of the projects.

It actually pours more than just at that level; while he acknowledges the (must read) Recursive Make Considered Harmful by Peter Miller, he then states (I quote) “[T]he sheer simplicity of implementing and maintaining a recursive build system makes it, by far, the most widely used form of build system.” – Well, I cannot dispute the fact that it is the most widely used form; I can definitely argue a lot about the “simplicity”, especially considering that recursive build systems have atrocious support for parallelisation, and with modern machines growing more in number of cores (or execution threads) than they do in pure speed, that is an important detail to consider; especially for big projects.

Another thing that baffled me is that John is able to describe the Autoconf Archive without moving a comment about the policies regarding bundled and non-bundled macros in autoconf … add to that the way he dismisses most of the mistakes in the official documentation, or the idiosincratic behaviour of some macros, and that is what I call “siding with the authors” (by itself, of course, there is nothing wrong; he’s much more objective than I could ever be I guess). For those who want to take a laugh now, John’s book refers to the Autoconf Archive website; the Autoconf Archive website then links back to Autotools Mythbuster. Heh.

It can be opinable I guess, but for me, despide its subtitle defines it as a “Practical Guide”, I find it a good theoretical textbook; but I disagree that you should be using Autotools the way they are describe by John, or by the official documentation for what matters; like it or not, a lot of the technical decisions in those projects are taken after a political stance, and that shows on some recommendations that to me only hinder development and adoption of the tools. And in the current landscape where cmake is still preferred to build under Windows, and, luckily for all of us, scons is finally disappearing, dropping the politics, and simply provide a good pragmatic approach to practice is what I was hoping for.

Final words and sound bite/quotable opinion? John’s is an important book, as I already noted. It shows a stirring ecosystem of people working around Autotools; even though we disagree on views and in some technical details, his is the only current and complete text on the tools of the trade. If you’re a newcomer who want to know how it works behind the scenes in detail, you just have to read it. But if you’re interested in writing a good build system by modern standard, you cannot just stop here. John is showing you the door; but you’ve got to walk through it and proceed to the end of the corridor… deciding which further doors to peek into, and which ones to keep shut.

Book Review: Cyber War

Since now the Sony Reader became much more useful I decided to make good use of it already. It wasn’t enough to finally have finished the Time Management book from O’Reilly, I was also finally able to read The God Delusion (shame on me not to have read it before! — Not that I needed it to “convert” as I’ve been sure about my atheism for over half my life). Reading on the device, even non-technical books, looks most definitely nice, so for the future I’ll try to get an electronic edition of any kind of book, before asking for a copy on dead trees.

Little note here, since I read some nasty comments about my atheism from the usual creek of “Free Software Advocates”. Not only you’re lame for attacking a developer who actually works on free software for almost all of his free time, but if you decide to attack on this ground, you’re beneath me. On that note, I’m very tempted to just add tracking for visitors coming from these creeks, and refuse their comments on my blog altogether.

But back to the topic; eBooks have this interesting propriety of fomenting my impulse shopping: you want to read something in particular? Look it up, and in less than half an hour you can start reading; and this timing includes registration on the site if it’s the first time you drop by there. So when last Saturday I was watching the latest episode of Real Time with Bill Maher (which I’ll keep admitting I’m downloading illegally, as HBO won’t even let me pay for it here!), and the special guest actually surprised me.

Richard A. Clarke sounded to me, at the announcement, another of the usual government pinheads who complain about the way the world of Internet is (in Italy, it’s basically the entire political class, but I also remind clearly an Obama comment about Internet when asked about Marijuana — again from Bill Maher some time ago). But the book he presented, Cyber War definitely struck a nerve in me.

I found the book, at Kobo even though it’s still (obviously) unavailable on Amazon UK. Nine euros later, I was reading, and it was three in the morning! I finished the book today, reading on and off every time I was too “cooked” to work. It gave me creeps and hopes at the same time.

Despite the evocative “cyber” name to everything, which reminds me more of Neuromancer than a non-fiction state-of-affairs book, Clarke seems to know what he’s talking about. Most of his points are, realistically, more tied to the United States of America than the rest of the world, and he admits that more than a couple of times, but it got me thinking.

I’m relatively disinterested in the military, warfare and conflict aspects that he obviously talks about extensively — it’s what the book is about to begin with. But reflecting upon the simple amount of interconnections between the “wild Internet” and critical systems is something that scares the crap out of me. You would expect important systems like power grids and railway systems to not be interfacing with Internet, and most likely they are not, directly, but there certainly is a “hop connection” – like the six degrees of Kevin Bacon – which even for me, more or less working in the field, doesn’t appear natural at first.

What woke me up reading that book was the consideration about rail services; in USA I guess most of the rail services are freight transit, not public transportation, nowadays. In Italy, trains are mostly people-oriented as far as I can tell, so it gets less logistical, but more civil, as a target. The most obvious Internet-connected systems for a transportation system is obviously the reservation system, since you order tickets online, usually. But there are more, and more down-to-earth control. Last time I was in Milan, I was able to check through my cellphone how much delay there was for my train… what scares me to think about, now, is that the moment the train passed through a station, even without stopping, the website would have told me.

Similarly, the Italian power company have converted most houses to an electronic measure device — this way they don’t have to send personnel once an year to read the data. This works for the convenience of us users most of the time (before, you paid based on what they expected you to consume until they checked the real usage… you either paid extra the whole year, or you’d have to pay a huge amount to cover what you consumed unexpectedly), but on the other hand, you now get a connection between your house and the power company’s system… I just hope they don’t have enough bandwidth for that to be really problematic.

The book does not try to sell us the kind of “hacking” that goes on TV with shows like CSI, that still seem to think that an electric outlet can get you to access the FBI databases, but, with due handwaving for a non-technical book, explain what the main problem is: you only need to trigger a pre-defined event. In the case of the device I named above, it would “just” take a malicious piece of software (that the book consistently called “logic bomb”) that expects a precise sequence of inputs to trigger a cascade failure… you could give those inputs through those devices and be near to unidentifiable (this reminds me of the slot-machines code in Ocean 13, but I digress once again).

Clarke’s repeats over and over that one of the main problems to solve is to make sure that you can trust the code that runs on your systems, and on that note, while he doesn’t make it too explicit, I think he would welcome that all critical systems were to run on open source software (he does mention open source as a tool in passing a couple of times — and goes on ranting about Microsoft for over an entire page!). While obviously open source does not guarantee you that there is no malicious code – it would be very very difficult to audit all of it and be sure that there are no intentional trigger sequence in it – certainly it makes it easier to spot those problems than closed-source software. He definitely seem to understand that security-by-obscurity is of no use, especially as he admits that both the US government and others (he refers mostly of China) have been scouring over the private “intellectual property” of manufacturers – it might be obscure to me and you, but sure as hell it is not obscure to a military force wanting to exploit it!

Put in the light of this book, efforts such as SELinux and the Coverity founding for auditing Linux and other components of Free operating systems make total sense. We can make use of those, but primarily, they want to be able to trust the code. Some of the ideas Clarke gives in the book seem a bit too much for me, though.

While the “back to mainframes” idea that he suggests, specifically noting that Vint Cerf wouldn’t agree with that, might sound the most strange option, I actually think he has a point there. Total division might be impossible for some tasks, are we’re definitely too used to be able to do everything and the kitchen sink with the same software, but it might be worth considering, in some domains at least.

The one that I find far fetched is the idea of having Artificial Intelligence write the software from scratch, to avoid the “human factor” introducing bugs by mistake, and backdoors by design. It’s not pure fear that makes me cringe there, but it’s rather the problem of chicken and egg: who writes the AI in the first place? We already have had examples of software being programmed to hide malicious code within other software (cfr. Reflection on Trusting Trust by Ken Thompson).

At any rate, this is one of those books that I will suggest you all to read. And at the end, it really gives you so many interesting points of view, that you’d really resent the way “cyber crime” is portrayed by CSI or – to a lesser extent, even! – Dan Brown.

Book Review: Secure Programming with Static Analysis

Since last night I finally finished reading Secure Programming with Static Analysis by Brian Chess and Jacob West, I thought it would have been a good idea to write some words about the book itself.

The reading is not bad at all, although I guess it’s oriented more toward people who don’t have much real-world experience of handling security in software; while I’m definitely not a security expert myself, I’ve been interacting with them on a stable basis for years now, and most of what Chess and West wrote was already well-known for me.

As for the details the book gets into, on the whole, it seemed to me much more oriented toward Java-based Web Applications rather than actual code; I guess this might be because, on the whole, where Security is paid more attention to is in “enterprisey” situations which seem to be where JSP is used most nowadays. There is no lack of C/C++ examples in the book, and I guess for Free Software developers who (hopefully for them) have no contact with Microsoft environment, the description of Microsoft’s “safe” variants of classical C functions might be interesting, at least as a way to understand their design, and eventually take the same considerations into account when developing Free Software for Linux.

The one thing that I think the book is seriously lacking for what concerns modern security risks is Ruby: with all the software that is currently being developed “agile”, I’d be expecting more coverage about that, as I’d expect it would have a non-trivial influence with the security landscape in the future (and this is not saying that it hasn’t shown its security problems already). I guess that having Rails as the main, central interface to all the web applications is both a good and bad thing: bad because every vulnerability in Rails is a possible vulnerability for a long list of applications, good because it centralises enough of the tasks to avoid re-implementation mistakes.

I sincerely hoped it went to show more in details how to implement static analysis in practice, but given the authors work for a company selling a static analysis tool they only show how it works in the last two chapters of the book (once for Java and once for C/C++). It includes a CD with a demonstration version of the Fortify SCA software itself.

That I could see, there are no factual mistakes in the book but one (assigning W^X implementation to FreeBSD rather than OpenBSD, oops!), and the reading is quite nice, some of the examples are also not that obvious so it’s still mind-clearing for those who have a bit of security background already.

Unfortunately, there is one thing from the book that I didn’t like too much, and is the “security over everything else” approach they suggest to take many times during the course of the book. While I can see – and agree to some extent to – its importance, it is also true that the success of modern software is always accompanied to some kind of moderation. When they tell you not to give the user any information about a failure to avoid an attacker from understanding which tripwires they touched, they are reducing user-friendliness; when they suggest to ignore robustness in favour of security, they are reducing solidity. And it’s not the over-secure UNIX systems that got the top desktop market share, but rather the objectively insecure and unsafe Windows — and you can see how the tightening of the security on the desktop, through Vista and “7” (even though debatable) is causing headaches to developers, system administrators, and users alike.

What it really does teach is some very convincing arguments to prod the management with, to get your security budget and time allocated properly, though. And it’s not really debatable that it’s something our category always need to learn from.

For the next read, I’m going to check out the opposite approach to static analysis: Fuzzing — knowing both areas is probably the best choice.

ModSecurity, antispam and books

You probably remember that I wrote quite a bit about my use of ModSecurity to handle antispam for the blog’s comments as it allows me to verify the User-Agent header as well as having a few extra tricks up my sleeves without enabling either forced registration, captchas or comment forced moderation. Among the other things, it allowed me to also disable the 60-days limit for comments on posts: now all the posts have free comment enabled.

But I think I already ranted about the lack of good documentation about ModSecurity: while it’s definitely powerful, it also has a few rules that are definitely draconic, and that makes it almost impossible to use it without fiddling for most use cases. Part of this has, in my opinion, to do with the idea ModSecurity was designed for in the first place: putting a stop to vulnerabilities of broken PHP code. I’m not singling out PHP here, they did, more than a couple of rules are designed to workaround common PHP code errors. While this can probably be considered good enough, it shows its problems when used with Rails (for instance the “duplicate parameter” rules break Rails pretty badly). For this reason in Gentoo, by default, I disable some of the worst rules (you can still get the original by using the vanilla USE flag).

Now, earlier this month, before my one-week vacation, Packt Publishing asked me to review a book (that they published last week) on the subject: ModSecurity 2.5 by Magnus Mischel . I’m still reading through it, given my usual time constraint (and a few unusual ones, including my birthday yesterday), but I can say something about it already: give it a read.

It starts from quite some basics in the functioning of ModSecurity, and that is very good, as it’s exactly what the original documentation lacks. At the start I actually had the wrong impression that it was going to take a too “newbie” look to the thing, but indeed there are some very basic tricks that might not be obvious at all even though you’ve been roaming through the ModSecurity documentation for a while before.

You can say that reading this book has been pretty helpful to both me and Gentoo: from one side I’m understanding how to improve the antispam rules so that they can be published and made available for others to use (I’m considering publishing my own rule set, not only for the antispam, but also as a measure of protecting against marketing crawlers that waste everybody’s bandwidth); from the other side, there has been at least one dependency (over mod_unique_id) that I didn’t know about, but which is now fixed in the ebuild you can find in tree.

Bottom line is, if you’re planning of doing any serious work with ModSecurity, this is definitely a must-read text. Kudos to Magnus, his work is definitely quality work. You can get the book and PDF directly from Packt or get it from Amazon (associate link) if you prefer.

And thanks again to Packt (and Magnus) for the opportunity of improving the Gentoo packaging: I know now of a couple more things I should be looking at to fix in the next future.

What a book!

I used to be an avid reader, totalling quite well move 10 books read an year, but that was when I was in high school, and I glided over stuff that I think my classmates called “homework”, but I’m sincerely not sure (I never had a particular liking to homework, with the exclusion of resolution of arithmetical expression during the Italian equivalent of Junior High school). In those days I had sincerely much more time than I have now especially if I consider that I’m working almost 18 hours a day, and almost never sleeping.

Took me almost three months to read this book now but I totally enjoyed it and I might actually look for it in audiobook one day to give it another go; the book in question is “The Gone-Away World” by Nick Harkaway , probably one of my favourite books in recent years, certainly a lucky discovery.

I say discovery because it’s the author’s début book, it’s not part of any series, not even in my usual reading habits range, since I usually read either fantasy or mystery novel or stuff like that; and nobody suggested it to me before, I came to it quite randomly through BBC’s podcasts, in particular the Simon Mayo Book Panel podcast. I actually had to listen back to the review tonight to remember what did catch my attention (and it has probably been the references to Douglas Adams and the way the author describe it as “two guys in a truck who save the world”); I just typed the title on my cellphone after waking up (I listen to the podcast to sleep), and at the first chance I had I bought it.

I don’t repent having bought it at all, as I said. Fun, quite thought-provoking, and quite fast paced for a book; I think the last time I read with such a pleasure has been when i have been reading Stephen King’s Dark Tower series. I don’t usually go around writing about the books I read (also because I don’t read nearly as much as I did), but this one I really want to recommend to anybody who’s up for a good novel.

I have already noted down, from an earlier podcast, the title of “The Brief Wondrous Life of Oscar Wao” even though I never went around to get it; I guess I should, and see if the podcast’s reviews are really getting out the important juice of the books; and I guess I should resume listening to it; with one thing and the other I didn’t listen to it in so long that iTunes decided to stop syncing it.