Programming Books C Java PHP Python Learn more Browse Programming Books
Geekonomics: The Real Cost of Insecure Software and over one million other books are available for Amazon Kindle. Learn more
Buy Used
$0.01
+ $3.99 shipping
Used: Like New | Details
Condition: Used: Like New
Comment: Excellent condition with minimal visible wear. Biggest little used bookstore in the world.
Access codes and supplements are not guaranteed with used items.
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Geekonomics: The Real Cost of Insecure Software Hardcover – December 9, 2007

ISBN-13: 978-0321477897 ISBN-10: 0321477898 Edition: 1st

Used
Price: $0.01
14 New from $4.90 30 Used from $0.01 1 Collectible from $20.00
Amazon Price New from Used from
Kindle
"Please retry"
Hardcover
"Please retry"
$4.90 $0.01
Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student


NO_CONTENT_IN_FEATURE

Shop the New Digital Design Bookstore
Check out the Digital Design Bookstore, a new hub for photographers, art directors, illustrators, web developers, and other creative individuals to find highly rated and highly relevant career resources. Shop books on web development and graphic design, or check out blog posts by authors and thought-leaders in the design industry. Shop now

Product Details

  • Hardcover: 384 pages
  • Publisher: Addison-Wesley Professional; 1 edition (December 9, 2007)
  • Language: English
  • ISBN-10: 0321477898
  • ISBN-13: 978-0321477897
  • Product Dimensions: 6.3 x 1.2 x 9.3 inches
  • Shipping Weight: 1.3 pounds
  • Average Customer Review: 4.2 out of 5 stars  See all reviews (13 customer reviews)
  • Amazon Best Sellers Rank: #2,073,151 in Books (See Top 100 in Books)

Editorial Reviews

About the Author

David Rice is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for "significant contributions" advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

Excerpt. © Reprinted by permission. All rights reserved.

Extreme Programming Installed

Preface

You may or may not have an inkling of what insecure software is, how it impacts your life, or why you should be concerned. That is OK. This book attempts to introduce you to the full scope and consequence of software's impact on modern society without baffling the reader with jargon only experts understand or minutia only experts care about. The prerequisite for this book is merely a hint of curiosity.

Although we interact with software on a daily basis, carry it on our mobile phones, drive with it in our cars, fly with it in our planes, and use it in our home and business computers, software itself remains essentially shrouded—a ghost in the machine; a mystery that functions but only part of the time. And therein lays our problem.

Software is the stuff of modern infrastructure. Not only is software infused into a growing number of commercial products we purchase and services we use, but government increasingly uses software to manage the details of our lives, to allocate benefits and public services we enjoy as citizens, and to administer and defend the state as a whole. How and when we touch software and how and when it touches us is less our choice every day. The quality of this software matters greatly; the level of protection this software affords us from harm and exploitation matters even more.

As a case in point, in mid-2007 the country of Estonia, dubbed "the most wired nation in Europe" because of its pervasive use of computer networks for a wide array of private and public activities, had a significant portion of its national infrastructure crippled for over two weeks by cyber attacks launched from hundreds of thousands of individual computers that had been previously hijacked by Russian hackers. Estonia was so overwhelmed by the attacks Estonian leaders literally severed the country's connection to the Internet and with it the country's economic and communications lifeline to the rest of the world. As one Estonian official lamented, "We are back to the stone age." The reason for the cyber attack? The Russian government objected to Estonia's removal of a Soviet-era war memorial from the center of its capital Tallinn to a military cemetery.

The hundreds of thousands of individual computers that took part in the attack belonged to innocents; businesses, governments, and home users located around the world unaware their computers were used as weapons against another nation and another people. Such widespread hijacking was made possible in large part because of insecure software—software that, due to insufficient software manufacturing practices leaves defects in software that allows, among other things, hackers to hijack and remotely control computer systems. Traditional defensive measures employed by software buyers such as firewalls, anti-virus, and software patches did little to help Estonia and nothing to correct software manufacturing practices that enabled the attacks in the first place.

During the same year, an experienced "security researcher" (a euphemism for a hacker) from IBM's Internet Security Systems was able to remotely break into and hijack computer systems controlling a nuclear power plant in the United States. The plant's owners claimed their computer systems could not be accessed from the Internet. The owners were wrong. As the security researcher later stated after completing the exercise, "It turned out to be the easiest penetration test I'd ever done. By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh, this is a big problem.'"

Indeed it is.

According to IDC, a global market intelligence firm, 75 percent of computers having access to the Internet have been infected and are actively being used without the owner's knowledge to conduct cyber attacks, distribute unwanted email (spam), and support criminal and terrorist activities. To solely blame hackers or hundreds of thousands of innocent computer users, or misinformed—and some might say "sloppy"—power plant owners for the deplorable state of cyber security is shortsighted and distracts from the deeper issue. The proverbial butterfly that flaps its wings in Brazil causing a storm somewhere far away is no match for the consequences brought about by seemingly innocuous foibles of software manufacturers. As one analyst commented regarding insecure software as it related to hijacking of the nuclear reactor's computer systems, "These are simple bugs mistakes in software, but very dangerous ones."

The story of Estonia, the nuclear reactor, and thousands of similar news stories merely hint at the underlying problem of modern infrastructure. The "big problem" is insecure software and insecure software is everywhere. From our iPhones (which had a critical weakness in its software discovered merely two weeks after its release) to our laptops, from the XBOX to public utilities, from home computers to financial systems, insecure software is interconnected and woven more tightly into the fabric of civilization with each passing day and with it, as former U.S. Secretary of Defense William Cohen observed, an unprecedented level of vulnerability. Insecure software is making us fragile, vulnerable, and weak.

The threat of global warming might be on everyone's lips, and the polar ice caps might indeed melt but not for a time. What is happening right now because of world-wide interconnection of insecure software gives social problems once limited by geography a new destructive range. Cyber criminals, terrorists, and even nation states are currently preying on millions upon millions of computer systems (and their owners) and using the proceeds to underwrite further crime, economic espionage, warfare, and terror. We are only now beginning to realize the enormity of the storm set upon us by the tiny fluttering of software manufacturing mistakes and the economic and social costs such mistakes impose. In 2007, "bad" software cost the United States roughly $180 billion; this amount represents nearly 40 percent of the U.S. military defense budget for the same year ($439 billion) or nearly 55 percent more than the estimated cost to the U.S. economy ($100 billion) of Hurricane Katrina, the costliest storm to hit the United States since Hurricane Andrew.1

Since the 1960s, individuals both within and outside the software community have worked hard to improve the quality, reliability, and security of software. Smart people have been looking out for you. For this, they should be commended. But the results of their efforts are mixed.

After 40 years of collaborative effort with software manufacturers to improve software quality, reliability, and security, Carnegie Mellon's Software Engineering Institute (SEI)—an important contributor to software research and improvement—declared in the year 2000 that software was getting worse, not better.. Such an announcement by SEI is tantamount to the U.S. Food and Drug Administration warning that food quality in the twenty-first century is poorer now than when Upton Sinclair wrote The Jungle in 1906.2 Unlike progress in a vast majority of areas related to consumer protection and national security, progress against "bad" software has been fitful at best.

While technical complications in software manufacturing might be in part to blame for the sorry state of software, this book argues that even if effective technical solutions were widely available, market incentives do not work for, but work against better, more secure software. This has worrisome consequences for us all.

Incentives matter. Human beings are notoriously complex and fickle creatures that will do whatever it takes to make themselves better off. There is nothing intrinsically wrong with this behavior. People, looking out for their own best interests are what normal, rational human beings are want to do. However, the complication is that society is a morass of competing, misaligned, and conflicting incentives that leads to all manner of situations where one individual&...


More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.2 out of 5 stars
5 star
8
4 star
2
3 star
0
2 star
3
1 star
0
See all 13 customer reviews
While Cooper and I rail against software's inexcusable dysfunctionality, however, Rice points out very real dangers that threaten the world.
Stephen C. Few
This is one of those, and it may very well be the first I've really enjoyed while trying to put myself in the shoes of the "average computer user" in the world today.
David Shackleford
If you are kind enough to keep the thoughts in this review in mind when reading Geekonomics, you will find the book to be thoughtful and exceptionally helpful.
Richard Bejtlich

Most Helpful Customer Reviews

23 of 23 people found the following review helpful By Stephen C. Few on December 13, 2007
Format: Hardcover
Every once in a while I encounter someone's work whose sanity of argument, integrity of passion, and elegance of expression convinces me in an instant that I have found a comrade. Recently reading the new book "Geekonomics" by David Rice was such an encounter. Rice is a prophet, and like most true prophets, what he is saying is something you won't like hearing. Geekonomics warns against the dangers of software. That's right--software--which we rely upon every day to a rapidly increasing degree. Rice is no crackpot or self-proclaimed guru looking to make a quick buck with this book. His warnings are akin to those of Alan Cooper in "The Inmates are Running the Asylum" and my own as well. While Cooper and I rail against software's inexcusable dysfunctionality, however, Rice points out very real dangers that threaten the world. Most software is bad, not just because it is much harder to use and far less effective than it ought to be; it is also insecure, which invites danger. The more we rely on software, the more vulnerable we are to the whims of those who would do harm.

Geekonomics explains the fundamental reasons why software of all types usually fails to deliver what we need, especially security, and the threat that this failure invites. The dangers that Rice describes are on the scale of global warming. Did this statement get your attention? Good, because it's true, and the magnitude and imminence of this problem deserves your attention. Just like the threat of global warming, we dare not ignore the threat of insecure software, because software has become the infrastructure of the modern world.

Geekonomics is not only an important book, it is also a good book. Rice is smart and thoughtful, and he knows how to write. If you rely on software (and who doesn't?), you should read this book. If you produce software, you should read this book. You might not like what you read, but you need to hear it, and we all need to do something about it.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
14 of 14 people found the following review helpful By Richard Bejtlich on December 31, 2007
Format: Hardcover
I really, really liked Geekonomics, and I think all security and even technology professionals should read it. Why not give the book five stars then? The reasons are twofold: 1) the book fails to adequately differentiate between safety and security; and 2) the chapter on open source demonstrates fundamental misconceptions that unfortunately detract from the author's message. If you are kind enough to keep the thoughts in this review in mind when reading Geekonomics, you will find the book to be thoughtful and exceptionally helpful.

It is important to remember that Geekonomics is almost exclusively a vulnerability-centric book. Remember that the "risk equation" is usually stated as "risk = vulnerability X threat X impact". While it is silly to assign numbers to these factors, you can see that decreasing vulnerability while keeping threat and impact constant results in decreased risk. This is the author's thesis. Rice believes the governing issue in software security is the need to reduce vulnerability.

The problem with this approach is that life is vulnerability. It is simply too difficult to eliminate enough vulnerability in order to reduce risk in the real world. Most real world security is accomplished by reducing threats. In other words, the average citizen does not reduce the risk of being murdered by wearing an electrified, mechanized armor suit, thereby mitigating the vulnerability of his soft flesh and breakable neck. Instead, he relies on the country's legal system and police force to deter, investigate, apprehend, prosecute, and incarcerate threats.

Consider now the issue of safety vs security. The author makes comparisons using the London sewer, various aspects of driving, and the New York subway system.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
18 of 19 people found the following review helpful By Stephen Northcutt on December 24, 2007
Format: Hardcover
Depending on who you ask, mankind has survived on this planet for somewhere between 10,000 and 160,000 years. However, we are the first generation to be dependent on software. Geekonomics opens with a discussion of the importance of cement and how crucial it is to our civilization. From roads to sewers, cement is our infrastructure and I could not agree more. After the driest summer since they have been measuring such things, the rain has been falling and falling and falling and my farm is one big mudhole. Every unimproved road is dangerous and some of the asphalt is failing. So I am replacing and improving with cement. It is expensive, but cement roads will outlast me, my son and his sons. Software is as important to infrastructure as cement as a foundation of civilization asserts the author of Geekonomics, David Rice, but while considerable energy has been expended to normalize the manufacture and application of cement, much less work has been done with software.

While the cement roads we are putting in will last a hundred or more years, the author points out that software is often essentially obsolete by the time the consumer takes possession of it. In fact, consumers value innovation so much, that it is prized above security even if a quick look at the news shows us the cumulative effect of software failure leading to data breach. At this exact moment, according to privacyrights.org, 216,770,536 consumer records have been lost. As Rice points out, in the 1970s the criminal underground realized there was more money to be made, at less risk of being caught, trafficking in drugs than other forms of crime, so it became a big thing.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Recent Customer Reviews


What Other Items Do Customers Buy After Viewing This Item?