I asked security expert John Viega to help find the authors for this book out of frustration concerning the way ordinary computer users view security. Apart from the lurid descriptions of break-ins and thefts they read about in the press, average folks think of security as boring.

Security, to many, is represented by nagging reminders from system administrators to create backup folders, and by seemingly endless dialog boxes demanding passwords before a web page is displayed. Office workers roll their eyes and curse as they read the password off the notepad next to their desk (lying on top of the budget printout that an office administrator told them should be in a locked drawer). If this is security, who would want to make a career of it? Or buy a book from O’Reilly about it? Or think about it for more than 30 seconds at a time?

To people tasked with creating secure systems, the effort seems hopeless. Nobody at their site cooperates with their procedures, and the business managers refuse to allocate more than a pittance to security. Jaded from the endless instances of zero-day exploits and unpatched vulnerabilities in the tools and languages they have to work with, programmers and system administrators become lax.

This is why books on security sell poorly (although in the last year or two, sales have picked up a bit). Books on hacking into systems sell much better than books about how to protect systems, a trend that really scares me.

Well, this book should change that. It will show that security is about the most exciting career you can have. It is not tedious, not bureaucratic, and not constraining. In fact, it exercises the imagination like nothing else in technology.

Most of the programming books I’ve edited over the years offer a chapter on security. These chapters are certainly useful, because they allow the author to teach some general principles along with good habits, but I’ve been bothered by the convention because it draws a line around the topic of security. It feeds the all-too-common view of security as an add-on and an afterthought. Beautiful Security demolishes that conceit.

John chose for this book a range of authors who have demonstrated insight over and over in the field and who had something new to say. Some have designed systems that thousands rely on; some have taken high-level jobs in major corporations; some have testified on and worked for government bodies. All of them are looking for the problems and solutions that the rest of us know nothing about—but will be talking about a lot a few years from now.

The authors show that effective security keeps you on your toes all the time. It breaks across boundaries in technology, in cognition, and in organizational structures. The black hats in security succeed by exquisitely exercising creativity; therefore, those defending against them must do the same.

With the world’s infosecurity resting on their shoulders, the authors could be chastised for taking time off to write these chapters. And indeed, many of them experienced stress trying to balance their demanding careers with the work on this book. But the time spent was worth it, because this book can advance their larger goals. If more people become intrigued with the field of security, resolve to investigate it further, and give their attention and their support to people trying to carry out organizational change in the interest of better protection, the book will have been well worth the effort.

On March 19, 2009, the Senate Committee on Commerce, Science, and Transportation held a hearing on the dearth of experts in information technology and how that hurts the country’s cybersecurity. There’s an urgent need to interest students and professionals in security issues; this book represents a step toward that goal.

This book is meant for people interested in computer technology who want to experience a bit of life at the cutting edge. The audience includes students exploring career possibilities, people with a bit of programming background, and those who have a modest to advanced understanding of computing.

The authors explain technology at a level where a relatively novice reader can get a sense of the workings of attacks and defenses. The expert reader can enjoy the discussions even more, as they will lend depth to his or her knowledge of security tenets and provide guidance for further research.

The authors are donating the royalties from this book to the Internet Engineering Task Force (IETF), an organization critical to the development of the Internet and a fascinating model of enlightened, self-organized governance. The Internet would not be imaginable without the scientific debates, supple standard-making, and wise compromises made by dedicated members of the IETF, described on their web page as a “large open international community of network designers, operators, vendors, and researchers.” O’Reilly will send royalties to the Internet Society (ISOC), the longtime source of funding and organizational support for the IETF.

The chapters in this book are not ordered along any particular scheme, but have been arranged to provide an engaging reading experience that unfolds new perspectives in hopefully surprising ways. Chapters that deal with similar themes, however, are grouped together.

Chapter 1, Psychological Security Traps, by Peiter “Mudge” Zatko

Chapter 2, Wireless Networking: Fertile Ground for Social Engineering, by Jim Stickley

Chapter 3, Beautiful Security Metrics, by Elizabeth A. Nichols

Chapter 4, The Underground Economy of Security Breaches, by Chenxi Wang

Chapter 5, Beautiful Trade: Rethinking E-Commerce Security, by Ed Bellis

Chapter 6, Securing Online Advertising: Rustlers and Sheriffs in the New Wild West, by Benjamin Edelman

Chapter 7, The Evolution of PGP’s Web of Trust, by Phil Zimmermann and Jon Callas

Chapter 8, Open Source Honeyclient: Proactive Detection of Client-Side Exploits, by Kathy Wang

Chapter 9, Tomorrow’s Security Cogs and Levers, by Mark Curphey

Chapter 10, Security by Design, by John McManus

Chapter 11, Forcing Firms to Focus: Is Secure Software in Your Future?, by James Routh

Chapter 12, Oh No, Here Come the Infosecurity Lawyers!, by Randy V. Sabett

Chapter 13, Beautiful Log Handling, by Anton Chuvakin

Chapter 14, Incident Detection: Finding the Other 68%, by Grant Geyer and Brian Dunphy

Chapter 15, Doing Real Work Without Real Data, by Peter Wayner

Chapter 16, Casting Spells: PC Security Theater, by Michael Wood and Fernando Francisco

The following typographical conventions are used in this book:

This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Beautiful Security, edited by Andy Oram and John Viega. Copyright 2009 O’Reilly Media, Inc., 978-0-596-52748-8.”

If you feel your use of code examples falls outside fair use or the permission given here, feel free to contact us at [email protected].

Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://my.safaribooksonline.com/.

Please address comments and questions concerning this book to the publisher:

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:

To comment or ask technical questions about this book, send email to:

For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our website at: