GEEKONOMICS

The new iPhone is coming out June 29. This is great. Not only for the millions of users that will undoubtedly rush to buy the newest, slickest toy from Apple, but for the growing number of hackers targeting this device.

You see, there is no such thing as “toy” software – software that is fun to use but has few consequences – and the Apple iPhone is a great illustration of this point. For example, within the first two weeks of the original iPhone’s release, cyber security researchers (a euphuism for "hacker") discovered a critical vulnerability in the iPhone’s internet browser that could allow cyber attackers to hijack the phone…transmitting any files stored on the iPhone back to a cyber attacker. Imagine the creepy feeling you might have if by chance you discovered a stranger rummaging through your underwear drawer (keeping select items) and you perhaps understand the underlying issue of the iPhone’s vulnerability.

The iPhone may be fun, slick, and some might say sexy…but it comes with consequences. Just as early cars were festooned with chrome and tailfins but imperiled highway drivers, so too is the iPhone festooned with glitzy features that could imperil its users on the Information Superhighway. How?

Try not to think of the iPhone as a phone with lots of fun features so much as it is a personal computer – a very powerful personal computer – sitting in your pocket and connected to the World Wide Web. This power and connection brings with it something other than mere utility (and kick-ass graphics): Lots of nooks and crannies – the “features” – that cyber attackers just love to get their hands on, dig into, and eventually, use to dig into you.

As case in point, consider the millions of personal computers around the globe that have already been hijacked by cyber attackers because of vulnerabilities in internet browsers, operating systems, instant messaging clients, word processors, you name it. This has been a significant problem for PC owners (and more often for Apple owners also). Because of these vulnerabilities, cyber attackers have dug, and are currently digging into us, deeply. Search for “Byzantine Foothold” in your favorite search engine and you’ll get the idea. Compared to the in-your-pocket-convenience of the iPhone, PCs are hulking monstrosities, but the iPhone offers much of the same functionality as those hulking monstrosities, plus much more.

The iPhone isn’t so much a phone, as it is a potential hacker sitting, not on your desktop computer which has historically been the case, but a potential hacker sitting in your pocket, a magic elf as it were, watching whatever aspect of your daily sit-down-stand-up-move-around life he/she might choose. One of my very talented hacker friends has surmised a way of surreptitiously enabling the accelerometers on the iPhone – the same accelerometers used to switch the iPhone’s display when you rotate the phone – to detect when you are walking…and to automatically record the sensitive conversation you may or may not be having with a colleague about a very personal or professional matter on the way to the bathroom. Creepy? You bet  (there's no guarantee he'll stop recording when you get to the bathroom).

Hacker’s enjoy targeting ascendant technology like the iPhone, because they know millions of users will adopt the new technology as quickly as possible and plug it into things, services, and aspects related to their lives with very little idea of the potential consequences. Such behavior potentially gives remote attackers (in Ukraine, for instance) unprecendented access to your very local life.

More importantly, hackers know that in the market rush to become the ascendant technology, software manufacturers will miss something important, probably lots of important “somethings” as Microsoft, Oracle, and Apple itself has proven time and time again.

In other words, the software you use has been tested to a degree by software manufacturers to be sure, but not enough of a degree to protect you from very naughty people with a penchant for mischief, mayhem, and maliciousness. And there are a growing number of these people. The rush to market means that consumer dollars and market share are important to software manufacturers, but not necessarily consumer protection. Put simply, your protection is not part of the market competition and therefore not the focus of software manufacturers, until it’s too late.

In 2006, Apple surpassed Microsoft in total number of software vulnerabilities for a given year; a direct result of Apple’s rising market popularity and compelling evidence that it was probably Apple’s relative market obscurity compared to Microsoft’s that made it appear intrinsically “more secure” – whatever that might actually mean - than other software vendors.

In fact, Apple is probably not any “more secure” than any other software manufacturer. This much may be true, but frankly, it’s relatively inexpensive for any given software manufacturer to make whatever assertion about their dedication to consumer protection they like because there is no significant negative consequence to software manufacturers when they’re wrong…even abysmally, continuously, and perpetually wrong.

Attackers love vulnerable software, and the world…including your iPhone…is potentially full of it because software manufacturers keep creating it. As the iPhone gains in popularity, expect more and more attackers to discover and publicly disclose all the possible “mistakes” Apple failed to detect before releasing the phone just as attackers have done with operating systems, internet browsers, media players and so on.

But that is the best case scenario. The iPhone does not apparently have a lot of publicly reported vulnerabilities. Why so? Maybe it does not have a lot of vulnerabilities. But probably not. There may be a more sinister explanation. Attackers have learned the best way to maximize leverage over unsuspecting victims and to prevent victims from defending themselves from, well, Apple’s possible mistakes, is to not publicly disclose discovery of a vulnerability.

By not disclosing a vulnerability it makes it impossible for Apple, or any software manufacturer in a similar situation, to provide a software patch to correct the problem and thus nearly impossible for consumers to meaningfully protect themselves…especially regarding something like the iPhone that cannot easily deploy the traditional defenses like firewalls and anti-virus/spyware we’ve historically employed to counterbalance software manufacturing blunders on our personal computers. In this scenario, where no patches are available, few defenses meaningful, and vendor assertions about consumer protection vacuous, attackers can use their knowledge to surreptitiously exploit the iPhone at will…and you along with it.

Wouldn’t it be great if software manufacturers had greater incentive to focus on consumer protection rather than just consumer dollars and market share? Cyber attackers are merely discovering what software manufacturers failed to sufficiently do themselves, but cyber attackers have more compelling incentives: hijacking you.

The hacker in my pocket is called “Josh.” What’s your hacker’s name? Speak up. Your phone can’t hear you…

How much do front row seats to a train wreck cost? About $6 billion.

I've been ruminating about a story that appeared around February 2008, and it's bugging me to no end. What is the story? This one:

Bush Looks to Beef Up Protection Against Cyber Attacks

To quote:

President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.

Administration officials and lawmakers say that the prospect of cyberterrorists hacking into a nuclear-power plant or paralyzing Wall Street is becoming possible, and that the U.S. isn't prepared. This is "one area where we have significant work to do," Homeland Security Secretary Michael Chertoff said in a recent interview.

In essence, President Bush's "beef up" is to allow the National Security Agency, Central Intelligence Agency, and the Cyber Division of the FBI to conduct domestic intrusion detection; that is, look for the cyber foot prints of bad guys breaking into US networks which seems to be a considerable problem of late (see Byzantine Foothold). This position by the White House is concurrent to a report released by U.S. Intelligence:

The Intelligence Community Tells the American Public All About Cyberwar

To quote:

The US information infrastructure-including telecommunications and computer networks and systems, and the data that reside on them-is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries- increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious.

And under current US policy, it will likely get worse.

So what's bugging me? It certainly isn't the privacy issues that seem to be the major source of protest regarding President Bush's "beef up." What is bugging me is that a majority of US cyber defenses center around monitoring and reacting to malicious activities and tend to define "protection" (at least in my eyes) as preventative measures such as configuration and network defenses (like firewalls and intrusion protection systems).  It makes us nothing more than targets. This also bothers others.

To quote the Director of US National Intelligence, Michael McConnnell in his testimony to the Senate Selecct Committee on Intelligence:

It is no longer sufficient for the US government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

What I believe Director McConnell is referring to is "active" measures against our cyber adversaries; that is, instead of hiding behind firewalls, instead of merely detecting attacks...you know, the passive stuff...go after the bad guys. Really go after them, whatever that might actually mean in the cyber realm. It's a tempting thought. It's also probably doomed to fail. Why?

What I would like to focus on within McConnell's comment is the phrase "whatever source." In the Art of Statecraft, "whatever source" is a roundabout way of stating your adversaries' name without actually saying it (China, Russia, ahem...).

"Whatever source," in this case, is indeed interesting because it includes our adversaries except, of course, the actual source of our problems in cyber space: software manufacturers...which are the source. Not of cyber attacks, of course, which is what McConnell is talking about, but of the raw materials that enable and invite highly foreseeable cyber attacks, which is what I am talking about and would argue the U.S. Senate should be talking about also.

What are the raw materials of cyber attacks? Software defects. Specifically, software vulnerabilities.

Carnegie Mellon's Software Engineering Institute (SEI) estimates that more than 90 percent of reported security incidents are the result of exploits against software vulnerabilities. With a constant stream of latent software vulnerabilities released by software manufacturers every single day (it still gripes me Vista is a "work in progress" and Apple is getting its ass handed to them by aspiring hackers), $6 billion is a ridiculous sum to pay for state-of-the-art front row seats to "monitor" the results of the disaster that are current software manufacturing practices. "Active" measures are probably just as misguided.

Cyber attackers may be the source of cyber exploits (the nasty software that hijacks your machine without your knowledge), but software manufacturers are the source of vulnerabilities which cyber attackers exploit in the first place. Software exploits do not exist in a vacuum. There is a direct relationship between a given software vulnerability and a particular software exploit. In fact, they are inextricably joined together: an exploit is dependent upon the existence of a software vulnerability.

Let me put it another way: you can't write a software exploit without a corresponding software vulnerability.

Or, at least, its incredibly hard to do so. That's why the religious war over vulnerability disclosure practices is such a, well, religious war. By openly reporting software vulnerabilities to the public you give potential cyber attackers knowledge of what to exploit. By not openly reporting software vulnerabilities you can take away this ability. That's good. But you also potentially shield software manufacturers from public shame regarding their blunders and thus delay the creation of a patch to fix the problem. That's not so good.

What to do about open reporting? Not sure. But so far, it can argued that cyber attackers have benefited far more from open reporting than anyone else. Shame doesn't appear to be a strong enough disincentive for software manufacturers to discover vulnerabilities in their products before researchers/attackers do because we still have a relentless stream of new software vulnerabilites discovered to this day. And we spend more than ever before on cyber-security and have few successes to show for it (otherwise we wouldn't sound so frantic). That's a kicker. Anyway, my point is that software vulnerabilities are the raw material of exploitation and are the key element in allowing software exploits to impact our economic and national security in the first place.

So, we can certainly spend billions on detecting software exploits in the wild, we could even "go after the bad guys" but I would strongly argue these activites won't change the playing field in any significant manner because reducing and detecting the number of exploits or even finding the bad guys isn't the issue; it's reducing the number of vulnerabilities that is critical...vulnerabilities that could have been detected by the manufacturer, but were discovered by someone else.

We don't know who the bad guys might be. We might never know. But we do know the names of our software manufacturers that create the software these attackers exploit.

Does it really make sense to have every government, corporation, and computer user in the world spend time, energy, and money defending themselves from new software vulnerabilities discovered on a daily basis or does it make more sense to focus on the much smaller number of software manufacturers that fail to sufficiently detect their own product's vulnerabilities before releasing it? 

The raw materials of exploitation are injected into the software market and thus our global infrastructure every day by software manufacturers, not cyber attackers. By drastically reducing the number of software vulnerabilities you take away the raw materials attackers leverage to create exploits.  But software manufacturers are not accountable for failing to detect these vulnerabilities before releasing their products. If individuals other than software manufacturers can discover vulnerabilities (like security researchers and hackers), why don't software manufacturers?

Because software manufacturers do not have strong enough incentives to do so.

That US policy makers, heck, that policy makers in general do not address this issue is worrying. Let me reiterate: More than 90 percent of reported security incidents are the result of exploits against software vulnerabilities.

We spend billions on cyber security gymnastics every year, but not a single penny as far as I can tell on pushing software manufacturers with meaningful incentives to change their manufacturing practices. Cyber attackers are merely leveraging what software manufacturers give them. We are paying both for the eager attention of cyber attackers and the inattention of software manufacturers. That is a shame...and incredibly expensive.

In the end, the proposed "monitoring" focuses on the wrong players. If we want to take "proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage," strongly disincentivize the creation of vulnerabilities at the source. Make software manufacturers accountable for their defects just as every other industry that affects public health, safety, and welfare has ultimately had to do.

It won't address every aspect of cyber security, but it is a strong policy stance for national security that is likely to help and cost much less in the long run.

In the June 7th edition of The Economist (Stop that Car!) General Motors' OnStar plans to allow police access to its Stolen Vehicle Slowdown feature. To quote:

"Police who believe a car to be stolen can ask an OnStar operator to disable its accelerator, while leaving the steering and brakes in working order. Some people worry that hackers might take over the system."

No need to worry. You can bet on it.

But there is more. This scenario highlights the amount of software residing in the typical car (which is a lot, by the way). The transmission in a General Motors vehicle is thought to contain some 30 million lines of code. This is as much as the Microsoft Windows XP operating system. And that's just the transmission.

The fact that this software is networked to a satellite control system is no doubt comforting to anyone who has been in an accident (OnStar calls emergency services automatically when your air bags deploy providing your GPS coordinates) and no doubt enticing to those with a penchant for mischief and mayhem.

It's not so much that attackers may go after the OnStar software itself (which is proprietary and therefore difficult to get at), but all the supporting software like operating systems and internet browsers of those wonderfully helpful OnStar associates (think Salesforce.com). Oh, I can see the phishing attack coming now....

According to a June 5, Washington Post article:

Cyber Incident Blamed for Nuclear Power Plant Shutdown

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company , which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network.

The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed...

Yes, but the software did not, and that is the point.

The article goes on to say:

Computer security experts say the Hatch plant incident is the latest reminder of problems that can occur when corporate computer systems at the nation's most critical networks are connected to sensitive control systems that were never designed with security in mind.

Really?!? And what of the consequence for this lack of foresight? What incentives exist to address the problem at the source? Should the contractor applying the patch really be the only culpable party here? Please excuse my rather sarcastic tone on this one. Some might say that this is "nothing new" and we should let it float by. No, we should not.

When will we exhaust our feelings of relief over catastrophes that could have happened because of “bad” software but did not simply because of happenstance (or, more accurately nuclear engineers that are more accountable for their blunders than software engineers)?

Oh, I know there are all sorts of arguments why software developers weren't at fault here, or that plenty of other incidents would lead to the nuclear power plant's emergency systems kicking in but really, isn't this getting a little old? If this is truly "nothing new" it implies software hiccups are a long standing problem and that really is the problem.

So I'd like to coin what I'd like to think is a new phrase: "Shit happens. This is true. But more shit happens with software."

Anton Chuvakin, co-author of Security Warrior, posted a powerful review of Geekonomics on his blog:

It Changed My Life: My Review of "Geekonomics"

An excerpt:

I suspect that, by now, every human on Earth who ever laid their hands on a computer knows:

software = might NOT work.

Now, we expect roads, bridges, toasters, chainsaws, bicycles, cars (until they put software in them...) to work and work they do. And if they don't - the company who manufactures them usually makes them work for us fast - or goes away, cut down by the "benevolent" axe of capitalism. Now, software is totally different (my thinking about this one).

And everybody knows it. But nobody was brave enough to take a hard look at this and analyze how that simple fact affected, affects and will affect our society. And, for my extra-paranoid readers: "... and how it might end that very society."

Until "Geekonomics!"

This book might not reveal any secrets about how software works to an IT professional (it will reveal how law works though!), but it will explain why bad software is everywhere, why we are stuck with it, why it will not improve by itself and - sorry for a hysterical note here! - how we might all fucking die because of it. It then unemotionally predicts why more people will certainly die because of bad software.

It studies the complicated dynamics of today's software market such as who is more at fault for bad software - buyers who agree to buy or vendors who make it (or both). It also suggests that many of today's regulations and compliance "thingies" are a little misguided (e.g. in a battle a PCI DSS-compliant enterprise and a 0-day-wielding hacker, any sane person will bet on an 0-day). It is also very well-written; it won't bore an experienced IT  or security pro and it will not overwhelm a mere IT user.

First, it explains why the software is the "foundation of our civilization" today, and how it will be more so in the future. Next, it casts a look at "innovation" and ponders how innovation-driven software development relates to the  fact that users don't touch 90% of features of a typical software. In the third chapter is presents the view of the "0wned world" where "only the stupid [cybercriminals] get caught."  Next chapters looks at how government oversight works in other areas (e.g. FDA), how it might work - and how it might fail (and did fail in the past). While doing it, the book dispels the "government will just  make it worse" myth (basically, because some things are really bad and quickly streaming towards worse already). The amazing chapter 5 gives the clearest explanation of litigation (torts, etc) that I have ever seen (the book is worth reading just for chapter 5 alone!). Chapter 6 takes a super-pessimistic look at open-source software (no comment - just read it). Finally, several possible future - "the way forward" - is discussed.

...

So, everybody in software business, security business - in fact, just everybody who uses a computer - MUST READ THIS BOOK! Seriously, understanding the point made there might be a matter of life or death for some (all?) of us.

Anton has started a new website: KilledBySoftware.info

Thank you for the review, Anton.

BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. The full article from BusinessWeek is here.

The article goes on to state the U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years. "It's espionage on a massive scale," says Paul Kurtz, a former high-ranking national security official.

Now, of course my question is, how did such widespread intrusions become possible. BusinessWeek has this to say (note my emphasis below):

The government has yet to disclose the breaches related to Byzantine Foothold. BusinessWeek has learned that intruders managed to worm into the State Dept.'s highly sensitive Bureau of Intelligence & Research, a key channel between the work of intelligence agencies and the rest of the government. The breach posed a risk to CIA operatives in embassies around the globe, say several network security specialists familiar with the effort to cope with what became seen as an internal crisis. Teams worked around-the-clock in search of malware, they say, calling the White House regularly with updates.

The attack began in May, 2006, when an unwitting employee in the State Dept.'s East Asia Pacific region clicked on an attachment in a seemingly authentic e-mail. Malicious code was embedded in the Word document, a congressional speech, and opened a Trojan "back door" for the code's creators to peer inside the State Dept.'s innermost networks. Soon, cyber security engineers began spotting more intrusions in State Dept. computers across the globe.

The malware took advantage of previously unknown vulnerabilities in the Microsoft operating system. Unable to develop a patch quickly enough, engineers watched helplessly as streams of State Dept. data slipped through the back door and into the Internet ether. [my emphasis]

Although they were unable to fix the vulnerability, specialists came up with a temporary scheme to block further infections. They also yanked connections to the Internet.

The malware used by the attackers took advantage of previously unknown vulnerabilities (important, this word is plural) for which patches were not yet available. So the world's one and only superpower is potentially laid to bare because of a defect that went undetected by the manufacturer before its product was released into the global stream of commerce?!?

The world's one and only super-power also just happens to be the world's one and only super-crash test dummy (a reference to Geekonomics that states that software buyers are crash test dummies for software manufacturers. We "crash" so the manufactuer knows what to fix.).

More from BusinessWeek:

Adding to Washington's anxiety, current and former U.S. government officials say many of the new attackers are trained professionals backed by foreign governments. "The new breed of threat that has evolved is nation-state-sponsored stuff," says Amit Yoran, a former director of Homeland Security's National Cyber Security Div. Adds one of the nation's most senior military officers: "We've got to figure out how to get at it before our regrets exceed our ability to react."

I would suggest this: reduce the supply of vulnerabilities. Software exploits do not exist in a vacuum. A software exploit requires a corresponding software vulnerability. Attackers do not "break" software. The software comes already broken from the manufacturer. As such, attackers merely discover the defect, not create it. The attacker's "sophistication" derives from the direct incentive to do what the manufacturer had no (or very little) incentive to do: find the defect first.

Remove, or drastically disincentive the production of insecure software by software manufacturers, and our ability to react might just foreclose our regrets.

In a remarkably tasteless move, hackers broke into the Epilepsy Foundation's web site in April 2008. Emily Bishop from Iowa State Daily writes:

Sometimes computer hackers hack into a Web site as a joke - but the recent hacking of the Epilepsy Foundation's Web site was no laughing matter.

Rapidly flashing images, which can trigger seizures in people with photosensitive epilepsy, were put on the Web site, according to the site itself.
...
Doug Jacobson, professor of electrical and computer engineering, said what happened to the Epilepsy Foundation's Web site is "unique in that, usually, a computer by itself can't cause harm." [my emphasis]

"It's getting press because of the uniqueness of what [the hackers] did," Jacobson said. "[Hackers] look for vulnerable software and take advantage of it."

The complete article is here.

There are two recent articles that seemed rather uncomfortably related.

The first article is from Yahoo! News:

US Olympic tourists warned about monitoring in hotels

An except from the article:

WASHINGTON (AFP) - Americans traveling to China for the Olympic Games in August can expect their hotel rooms there to be monitored, the State Department warned on its website.

"All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," according to the State Department site.

"All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences and offices may be accessed at any time without the occupant's consent or knowledge," it said.

The second article is from Steinnon on Security from Network World:

China takes off cyber gloves

An excerpt from the article:

Are you a manufacturer? Are you responsible for IT Security at a government agency or research lab? Are you an athlete? Do you represent the cause of freedom in Tibet or peace in Darfur? If so, you have a new enemy.  The government of the largest country in the world [China] is after your data. They have resources you cannot even dream of. They are organized. They know what they are doing.

Now, imagine the two articles juxtaposed. The following might give you a taste of how pervasive and devasting espionage, cyber or otherwise, can be. My additions are in square brackets.

Americans traveling [the Internet]...can expect their [actions] to be monitored, the State Department warned on its website. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations [on the Internet]," according to the State Department site. "All hotel rooms and offices[, computers, blackberries, iPhones, gaming systems] are considered to be subject to on-site or remote technical monitoring at all times. [These] may be accessed at any time without the [owner's]occupant's consent or knowledge," it said.

There are no small targets on the Internet. Once you connect, you and your software are part of the whole whether you like it or not.

CSO Magazine ran this article on March 8, 2008:

Insanity - Doing the Same Thing Over and Over Again Expecting a Different Result

To quote:

A Gartner study indicates that 75% of security breaches are due to flaws in software...Do you think we would see a significant decrease in the number of data breaches and records stolen if we shifted our spend to actually writing proper code and protecting data at the source instead of at the edge? I think it is time we gained a few IQ percentage points and stopped the insanity.

I would tend to argue, unequivocally, yes. Absolutely yes. Our perverse and dysfunctional relationship with software, particularly insecure software, is not only insane, but outright madness. Those who have read my blog and Geekonomics know my mantra:

Insecure software sends an unmistakable message of disorder into the environment of cyber space. Small elements of disorder (like software vulnerabilities) invite greater elements of disorder, even cyber crime.

Cyber crime, in part, preys on the weaknesses software manufacturers themselves fail to detect before releasing/publishing the application into the global stream of commerce. To change the story of software, and thus the story of cyber crime, software manufacturers need different incentives to improve the quality and security of software.

Stop the rising trend of vulnerabilities, and thus the insanity, at its source. To do so is painful, difficult, complicated, and troublesome. Human endeavors of any significance are like this. I would argue History has taught us that much, at least.

I had a great discussion with Dorothy Denning after she read Geekonomics. For the benefit of those readers outside the information security profession, Dorothy is one of the world's most respected computer-security experts having published four books and over 120 articles. She was a professor at Georgetown University and is now a professor at the Naval Postgraduate School. I am truly delighted to post the following review by Dorothy:

"I loved this book. It is probably the most engaging and important book relating to security that I've read. Geekonomics tackles head on the growing security and safety problems brought on by faulty software, and what needs to be done. If you read only one book this year, Geekonomics should be it."

Thanks so much for the wonderful review, Dorothy.