Have you ever met a person who gets precisely as excited and distressed about burned toast (when there's oodles of time, a whole loaf of bread, no competition for the toaster and the smoke alarm has not been set off) as about a third degree burn covering half of an infant's body? That's more or less what it's like reading Vamosi's book.
I should have expected this. There are not a lot of reviews over at Amazon, and it has become abundantly clear that the celebrity favorable comments are from people who are salivated about (positively) by Vamosi in the text. I was reading it because my opinion of the book was requested by someone. And it is published by Basic. None of these are good signs.
This is "Not a Book Review" because I've decided to terminate my relationship with this book while less than one fifth of the way through the book. I've blogged repeatedly over the last two days about problems major and minor with this book. But I'm going to summarize (briefly) what's wrong with it.
(1) He talked to a bunch of "hardware hackers" with no apparent sense of hardware hacking history. That is, a bunch of very clever young men who are very full of themselves and who think that committing crimes because they can, and because their motives are not "evil" is somehow a good idea. These people are annoying, and they can never be bothered to actually sit still and _listen_ to how social constructs provide security, not technology -- and then they complain because no one listens to them. The text is pervaded with this perspective.
(2) The author and the people he quotes repeatedly recommend that security be included "from the beginning", not as an add on, and that schedules be extended and blah blah bleeping blah. If you are silly enough to believe you can design security in "from the beginning" you are, honestly, probably not able to be helped. This is an arms race. Taking yourself out of the race so you can devise the perfect defense is Not Actually an Option.
(3) The author seems unable to make very basic value judgments about whether security is worth expending any effort or resources on, much less predict whether the end user will give a shit. In fact, the book as a whole is intended to convince end users to care about security and take particular actions as a result. The actions he suggests vary between probably innocuous and potentially expensive/unsafe. Probably the most useful thing he said in the first fifth of the book was don't leave your car idling unattended.
I actually care a lot about security and think about it a lot. There are some straightforward comparisons that can be made about security decisionmaking and health decisionmaking. For example, the health care community is extremely worked up currently about everyone using effective sunblock.
"Holick, who chaired the committee that put out the Endocrine Society guidelines, acknowledges a risk of skin cancer from sun exposure in his 2010 book The Vitamin D Solution. But he and others have estimated, based on rates of cancer in the northern and southern United States, that lives saved from greater sun exposure would far exceed those lost to skin cancer.
Evidence for some cancers, he says, is better than others. “If I were to pick one cancer where vitamin D is sure to matter, it would be colon,” he says. “The second would be breast cancer.”
When I take off my watch, I can see pale skin contrasting with where I'm collecting vitamin D -- but I am careful not to get too much direct sunlight at a time and have avoided any burns for years (there was this few minutes in Las Vegas that turned out to be a mistake, or I could say "decades" . . .).
And it's not just vitamin D. Riding bicycles and many other forms of physical activity have inherent risk, but the very safe thing (staying inside pursuing more sedentary pleasures) has some substantial risks as well.
I don't worry too much about someone driving through my neighborhood opening garage doors (or walking around, I suppose). I _did_ worry about the guy who was going to houses, knocking, and when no one answered, entering and stealing shit. But that guy got caught pretty fast and locked up and I went back to leaving the door unlocked during the day so when my walking partner came to visit I didn't have to go unlock it for her. There is so damn much data out there, that unless you have some reason to believe some person or persons has it in for you (say, because you're a particularly unpleasant person who has made a lot of people mad, or are a particularly wealthy and/or famous person who has attracted a lot of crazies), you can basically make every conceivable mistake with every gadget you own and the worst of the consequences will involve some extra conversations with financial institutions and/or having to get a new credit card or whatever, or eventually changing some of your Facebook settings because you've acquired a cyberstalker.
Honestly, dropping your cell phone in the john is a bigger hassle. And _that_ is _common_ (altho they are getting easier to dry out successfully, now that so many of them are single-chip designs).
If you happen to cross paths with someone who hacks your stuff and lets you know about it "for your own good", make sure you tell everyone you possibly can what an awful person they are. If you live with them, kick them out and get a restraining order if need be. Security comes from enforcing community standards. Not through better technology.
If you actually _do_ want to hang onto your stuff, there are some basic strategies to pursue that are worthwhile:
(1) Don't leave your car running unattended. (That really is good advice.)
(2) Don't blog about your vacation until after you have returned home.
(3) Make sure your stuff has people around it most of the time (be home, or have someone keeping an eye on it; park in an area with lots of people looking at the cars who might take action if they see something weird). Security systems are almost all based on the idea that you want to slow the bad guy down until people show up; if people are there, you don't need much security.
(4) Match your environment. If what you are wearing or carrying around or storing around your house is _really_ desirable compared to everything around it, it is a Target.
(5) Destroy paperwork with identifying numbers. If someone wants to grab information out of the air, they have to be there when the information is in the air. But if you leave a piece of paper around with a credit card number on it, it'll just keep sitting there being available.
(6) If you don't feel like doing security on your home computers/network, hire someone to do it for you. Firewalls are your friend.
(7) Know what phishing is, and if you make a mistake and turn over information, call the bank (or merchant or whatever affected account) immediately to change the information so it can't be exploited.
(8) Monitor statements of your financial activities.
(9) If you don't trust the people you live with, and you have to live with them anyway, find a way to effectively quarantine sensitive material from them.
(10) Don't leave your bike near a university or other high bike theft area. But if you have to do so (because that's where you attend school/live/work), lock your bike (I'm not even going to get into the details; you can discuss it with the employees of a local bike shop) and take bits of it with you that can be readily separated from the bike, and don't use a bike you cannot afford to replace.
And, just for yucks: Don't talk about how much cash you are carrying.
I really, really, really do care about security. Honest. I do. But when I'm busy caring about security, worrying about how someone might freeze up my DVD player or, horrors! know what I'm watching doesn't even cross my mind. And it probably shouldn't cross a DVD manufacturers mind, either, because they should not be focused on a dying product category like DVD players. They should be thinking about video streaming devices. Etc.