REVIEW: "The Myths of Security", John Viega

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKMTHSEC.RVW   20091221

"The Myths of Security", John Viega, 2009, 978-0-596-52302-2,
%A   John Viega
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O'Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   "The Myths of Security"

The foreword states that McAfee does a much, much better job of
security than other companies.  The preface states that computer
security is difficult, that people, particularly computer users, are
uninformed about computer security, and that McAfee does a much better
job of security than other companies.  The author also notes that it
is much more fun to write a book that is simply a collection of your
opinions than one which requires work and technical accuracy.
The are forty-eight "chapters" in the book, most only two or three
pages long.  As you read through them, you will start to notice that
they are not about information security in general, but concentrate
very heavily on the antivirus (AV) field.
After an initial point that most technology has a poor user interface,
a few more essays list some online dangers.  Viega goes on to note a
number of security tools which he does not use, himself.  He then
argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV
software doesn't work.  (I've been working in the antivirus research
field for a lot longer than the author, and I'm certainly very aware
that there are problems with all forms of AV: but there are more forms
of AV in heaven and earth than are dreamt of in his philosophy.  By
the way, John, Fred Cohen listed all the major forms of AV technology
more than twenty-*five* years ago.)  The author subsequently jumps
from this careless technical assessment to a very deeply technical
discussion of the type of hashing or searching algorithms that AV
companies should be using.  And thence to semi-technical (but highly
opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs
have potential problems and therefore should be destroyed.  Eventually
all pretence at analysis runs out, and some of the items dwindle down
to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work
might have value.  Not that you'll learn anything, but that the biases
presented may run counter to your own, and provide a foil to test your
own positions.  However, those who are not professionals in the field
might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline