What do you think?
Rate this book
A Vulnerable System: The History of Information Security in the Computer Age
"This book delivers a long view of the history of information security, beginning with the creation of the first digital computers"--
303 pages, Kindle Edition
Published September 15, 2021
19 people are currently reading
183 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 11 of 11 reviews
February 12, 2022
Before I start, I want to be up front that the Cybersecurity Canon Committee selected this book for the Hall of Fame. The committee is a group of seasoned professionals and I'm honored to be part of the group. If the consensus is that this is a good book, then it probably is. But man, from where I sit, this is an odd book.
The book's title suggests its about infosec history, and there is plenty of history in it, but it's a scattershot and leaves out giant chunks: anti-virus, zero trust, intrusion kill chain prevention, Cyber threat Intelligence, machine learning, application firewalls, SOAR, SIEMS, Identity Management, XDR, SASE, and software defined perimeter, and all of that is just off the top of my head. It feels like it was written in 2010, not 2021; that the author, Andrew Stewart, stopped researching and didn't take into account any of the developments from the last decade. He doesn't reference any of the most important books from that time like Andy Greenberg's "Sandworm," David Sanger's "The Perfect Weapon, Parmy Olson's "We are Anonymous," and Kim Zetter's "Countdown to Zero Day" and he doesn't reference what I would consider two foundational and must read white papers from that time: Kindervag's zero trust white paper and Lockheed Martin's intrusion kill chain paper.
It's clear that he doesn't think much of the infosec community either; every major group from the security vendors, to the hacker culture, to software designers. The entire book is partially a thinly veiled rant against these folks. And he thinks that infosec security is solely dependent on on preventing software bugs, and potentially zero day exploits, from popping up when, according to the Mitre ATT&CK framework, "the vast majority of the adversary behaviors catalogued in ATT&CK do not rely on an exploitable vulnerability."
Specifically, he's really mad at something he calls stunt hacking when hackers compromise cars and ATM machines designed for the purpose of entertaining the DefCon crowd, as if that is the cause of all the security problems that he doesn't like. His criticism focuses on what he calls three Stigmata (From dictionary.com: a mark of disgrace or infamy; a stain or reproach, as on one's reputation): data Breaches, nation state activity, and opportunity costs created by epistemic closure (an alternate reality like stunt hacking). But he never made it clear to me as to why these three things are important in a book about infosec history. The first two, data breaches and nation state activity, are a partial list of attack motivations and really should include cyber crime, hactivism, espionage, influence operations, general mischief, and continuous low level cyber conflict between nation states. The last stigmata, opportunity costs, is such a small issue today that I'm scratching my head about why Stewart thinks it's so important. Don't get me wrong, stunt hacking is part of our infosec history (read Joe Menn's "Cult for the Dead Cow" for a more detailed view.) I disagree with him that its a stigmata.
He's hung up on the idea that, since the beginning of the digital age (Late 1940s), nobody has been able to to define what a secure computer really is when the industry stopped worrying about that problem well before the 2000s. Today, it's more about how you manage risk, not about how secure the computer is.
He makes a lot of assertions, in passive voice (it is said or it is thought) but rarely ties it together with who said it or who thought it. His view seems to be that everything is horrible and we need to start over.
To be fair, he started off well with the early history of mainframe computers and the incipient research on how to secure them. His coverage of this early time is quite good; starting with the first Federally Funded Research & Development Center (FFRDC - US government-funded nonprofit entity), the Rand Corporation (led by the retired Air Force combat General Curtis LeMay) and others in the department of defense. But when he gets to the personal computer revolution in the 1980s, he starts to fly off the rails. Some parts are good but like I said before, he misses big pieces.
I kept waiting for him to offer a solution to all of his complaints. Finally, in the last chapter (actually in the epilog) he recommends more information sharing with academia. Yikes.
With all of that, my recommendation is to read this book for the partial history if you must. Like I said before, his history of the early days (Late 1940s to late 1970s) is quite good. But there are better books and papers out there for a more modern view (2000 - 2020 - See my partial list below).
Source
"A Vulnerable System: The History of Information Security in the Computer Age," by Andrew Stewart, Narrated by Rick Adamson, Published by Cornell University Press, 15 September 2021.
---
References
"Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," by Kim Zetter
Published by Crown, 2014.
"Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World,"
by Joseph Menn, Published by PublicAffairs, 2019.
"Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, Last Visited 30 April 2020.
"No More Chewy Centers: Introducing The Zero Trust Model Of Information Security," by John Kindervag, Forrester, 14 September 20210.
"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," by Andy Greenberg, Published by Doubleday,
7 May 2019.
"The Bomber Mafia: A Dream, a Temptation, and the Longest Night of the Second World War," by Malcolm Gladwell, narrated Malcolm Gladwell, Published by Little, Brown and Company, 27 April 2021.
"The Innovators: How a Group of Hackers, Geniuses and Geeks Created the Digital Revolution," by Walter Isaacson, Published by Simon and Schuster, 7 October 2014.
"The Perfect Weapon: How the Cyber Arms Race Set the World Afire," by David E. Sanger,
Published by Crown, 19 June 2018.
"We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency," by Parmy Olson, Published by Little, Brown and Company, 2012.
"What is Threat-Informed Defense?" by Richard Struse, Tidal, 25 January 2022.
The book's title suggests its about infosec history, and there is plenty of history in it, but it's a scattershot and leaves out giant chunks: anti-virus, zero trust, intrusion kill chain prevention, Cyber threat Intelligence, machine learning, application firewalls, SOAR, SIEMS, Identity Management, XDR, SASE, and software defined perimeter, and all of that is just off the top of my head. It feels like it was written in 2010, not 2021; that the author, Andrew Stewart, stopped researching and didn't take into account any of the developments from the last decade. He doesn't reference any of the most important books from that time like Andy Greenberg's "Sandworm," David Sanger's "The Perfect Weapon, Parmy Olson's "We are Anonymous," and Kim Zetter's "Countdown to Zero Day" and he doesn't reference what I would consider two foundational and must read white papers from that time: Kindervag's zero trust white paper and Lockheed Martin's intrusion kill chain paper.
It's clear that he doesn't think much of the infosec community either; every major group from the security vendors, to the hacker culture, to software designers. The entire book is partially a thinly veiled rant against these folks. And he thinks that infosec security is solely dependent on on preventing software bugs, and potentially zero day exploits, from popping up when, according to the Mitre ATT&CK framework, "the vast majority of the adversary behaviors catalogued in ATT&CK do not rely on an exploitable vulnerability."
Specifically, he's really mad at something he calls stunt hacking when hackers compromise cars and ATM machines designed for the purpose of entertaining the DefCon crowd, as if that is the cause of all the security problems that he doesn't like. His criticism focuses on what he calls three Stigmata (From dictionary.com: a mark of disgrace or infamy; a stain or reproach, as on one's reputation): data Breaches, nation state activity, and opportunity costs created by epistemic closure (an alternate reality like stunt hacking). But he never made it clear to me as to why these three things are important in a book about infosec history. The first two, data breaches and nation state activity, are a partial list of attack motivations and really should include cyber crime, hactivism, espionage, influence operations, general mischief, and continuous low level cyber conflict between nation states. The last stigmata, opportunity costs, is such a small issue today that I'm scratching my head about why Stewart thinks it's so important. Don't get me wrong, stunt hacking is part of our infosec history (read Joe Menn's "Cult for the Dead Cow" for a more detailed view.) I disagree with him that its a stigmata.
He's hung up on the idea that, since the beginning of the digital age (Late 1940s), nobody has been able to to define what a secure computer really is when the industry stopped worrying about that problem well before the 2000s. Today, it's more about how you manage risk, not about how secure the computer is.
He makes a lot of assertions, in passive voice (it is said or it is thought) but rarely ties it together with who said it or who thought it. His view seems to be that everything is horrible and we need to start over.
To be fair, he started off well with the early history of mainframe computers and the incipient research on how to secure them. His coverage of this early time is quite good; starting with the first Federally Funded Research & Development Center (FFRDC - US government-funded nonprofit entity), the Rand Corporation (led by the retired Air Force combat General Curtis LeMay) and others in the department of defense. But when he gets to the personal computer revolution in the 1980s, he starts to fly off the rails. Some parts are good but like I said before, he misses big pieces.
I kept waiting for him to offer a solution to all of his complaints. Finally, in the last chapter (actually in the epilog) he recommends more information sharing with academia. Yikes.
With all of that, my recommendation is to read this book for the partial history if you must. Like I said before, his history of the early days (Late 1940s to late 1970s) is quite good. But there are better books and papers out there for a more modern view (2000 - 2020 - See my partial list below).
Source
"A Vulnerable System: The History of Information Security in the Computer Age," by Andrew Stewart, Narrated by Rick Adamson, Published by Cornell University Press, 15 September 2021.
---
References
"Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," by Kim Zetter
Published by Crown, 2014.
"Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World,"
by Joseph Menn, Published by PublicAffairs, 2019.
"Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, Last Visited 30 April 2020.
"No More Chewy Centers: Introducing The Zero Trust Model Of Information Security," by John Kindervag, Forrester, 14 September 20210.
"Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," by Andy Greenberg, Published by Doubleday,
7 May 2019.
"The Bomber Mafia: A Dream, a Temptation, and the Longest Night of the Second World War," by Malcolm Gladwell, narrated Malcolm Gladwell, Published by Little, Brown and Company, 27 April 2021.
"The Innovators: How a Group of Hackers, Geniuses and Geeks Created the Digital Revolution," by Walter Isaacson, Published by Simon and Schuster, 7 October 2014.
"The Perfect Weapon: How the Cyber Arms Race Set the World Afire," by David E. Sanger,
Published by Crown, 19 June 2018.
"We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency," by Parmy Olson, Published by Little, Brown and Company, 2012.
"What is Threat-Informed Defense?" by Richard Struse, Tidal, 25 January 2022.
November 20, 2024
This is, there's no kind way to say this, a childish book.
The first 80% or so is a history of Information Security up till "the present". It's adequate, but contains nothing you shouldn't already know just from background knowledge and following sites like Ars Technica. What's missing in this part are
- any discussion of the world outside the US (at least a confirmation perhaps that nothing important happened outside the US)
- a discussion of the significance (or otherwise) of some of the more recent developments. For example we have heard a lot about Spectre and its endless followup variants, and these have even had significant consequences for Intel. What I am unaware of (and the book does nothing to help) is whether they have had any actual consequences for security. Have they been used by NSA or Mossad in various clever ways? Or were they simply stunts?
But after the first 80% we get to "analysis and prognosis", and OMG is this bad. Just a litany of one form of childishness after another.
The author applies a vulgar marxism/criticism of capitalism to his analysis of every motivation, even as, a few paragraphs later, he describes multiple behaviors (hacking to acquire nudes, hacking to acquire medical info, hacking to acquire military info, hacking to acquire glory) that are driven by motivations that fall far outside the remit of "capitalism as a system of acting, within a legal framework, to provide value that others will pay for".
He criticizes the existence of stunt hacking, while ignoring the fact that the primary reason this exists is that journalists (god forbid anyone ever criticize journalists, the saints of our age...) are suckers who will eagerly publicize this stuff, no matter how stupid or ludicrous.
He ignores the massive progress that has been made in security. Yes, things are not perfect. But just as breaking into large city bank is rather different from stealing from a shack in the wilderness, attacking even most "simple" targets these days (eg someone's PC or phone) is non-trivial, and getting harder every year.
The biggest act of childishness is a kind of cri de coeur of "why hasn't this all been fixed; why doesn't someone DO something?" the eternal lament of the non-engineer who simply does not understand (and refuses to learn) that the universe does not just hand out answers as we wish! Every change that has improved security came about through complicated analysis, difficult and imperfect. Screaming that "this is not good enough" will not change that. This stuff is HARD and it improves as fast as humanly possible. 100 years ago we had no idea about any of this. 50 years ago we had no idea about the network side of this. 25 years ago we had no idea about the microchip-level said of this.
We hit problems, and we fix them. What better idea does Andrew J Stewart have?
The first 80% or so is a history of Information Security up till "the present". It's adequate, but contains nothing you shouldn't already know just from background knowledge and following sites like Ars Technica. What's missing in this part are
- any discussion of the world outside the US (at least a confirmation perhaps that nothing important happened outside the US)
- a discussion of the significance (or otherwise) of some of the more recent developments. For example we have heard a lot about Spectre and its endless followup variants, and these have even had significant consequences for Intel. What I am unaware of (and the book does nothing to help) is whether they have had any actual consequences for security. Have they been used by NSA or Mossad in various clever ways? Or were they simply stunts?
But after the first 80% we get to "analysis and prognosis", and OMG is this bad. Just a litany of one form of childishness after another.
The author applies a vulgar marxism/criticism of capitalism to his analysis of every motivation, even as, a few paragraphs later, he describes multiple behaviors (hacking to acquire nudes, hacking to acquire medical info, hacking to acquire military info, hacking to acquire glory) that are driven by motivations that fall far outside the remit of "capitalism as a system of acting, within a legal framework, to provide value that others will pay for".
He criticizes the existence of stunt hacking, while ignoring the fact that the primary reason this exists is that journalists (god forbid anyone ever criticize journalists, the saints of our age...) are suckers who will eagerly publicize this stuff, no matter how stupid or ludicrous.
He ignores the massive progress that has been made in security. Yes, things are not perfect. But just as breaking into large city bank is rather different from stealing from a shack in the wilderness, attacking even most "simple" targets these days (eg someone's PC or phone) is non-trivial, and getting harder every year.
The biggest act of childishness is a kind of cri de coeur of "why hasn't this all been fixed; why doesn't someone DO something?" the eternal lament of the non-engineer who simply does not understand (and refuses to learn) that the universe does not just hand out answers as we wish! Every change that has improved security came about through complicated analysis, difficult and imperfect. Screaming that "this is not good enough" will not change that. This stuff is HARD and it improves as fast as humanly possible. 100 years ago we had no idea about any of this. 50 years ago we had no idea about the network side of this. 25 years ago we had no idea about the microchip-level said of this.
We hit problems, and we fix them. What better idea does Andrew J Stewart have?
March 24, 2025
An adequate introduction to the modern conundrum of computer security. Starting with the early security concerns surrounding time-sharing in which multiple users had access to the same computing hardware, the author builds a a foundation on which to explain how every era of computing has faced an essentially insoluble problem. No computer system is ever truly secure...it's merely "secure enough." That is, the risk is reduced to levels that are considered acceptable for use.
Security problems present in large mainframe computers were compounded by the wide public adoption of the internet and browser software that was inherently insecure. The adopt0ion of the internet led to the proliferation of the remote attacks originating from every region on earth. This, in turn, led to the growth of computer security as a discrete and profitable business domain. At first, security firms were able to take advantage of corporate panic over their vulnerabilities to sell products that were expensive and far less protective than their marketers claimed. Vulnerability catalogs simply grew too rapidly to be effectively countered.
Many hackers took advantage of flaws in early versions of the Microsoft Windows operating system to the point that Microsoft's business model was threatened. Gates took it seriously and started the "Trustworthy Computing" initiative and began to get a handle on the size of the problem, eventually turning the tide, or at least making it manageable. We now live with the aftermath: Patch Tuesday. You don't even notice since it takes place without your involvement.
The final chapters of the book deal with the social impacts of hacking in which a generation of amateurs gained social standing and credibility among their peers for creating the cleverest hacks, eventually leading to a competitive environment, cresting in the phenomenon of "stunt hacking" in which malefactors attempt to hack any networked device that can be hacked. The more obscure, the better. A willing press, poorly versed in the technical aspects of the activity, breathed life into the phenomenon by credulously accepting the self-promotional claims of these hackers, leading the public to believe that every electronic device in their lives was at risk--from airliners to pacemakers.
Security problems present in large mainframe computers were compounded by the wide public adoption of the internet and browser software that was inherently insecure. The adopt0ion of the internet led to the proliferation of the remote attacks originating from every region on earth. This, in turn, led to the growth of computer security as a discrete and profitable business domain. At first, security firms were able to take advantage of corporate panic over their vulnerabilities to sell products that were expensive and far less protective than their marketers claimed. Vulnerability catalogs simply grew too rapidly to be effectively countered.
Many hackers took advantage of flaws in early versions of the Microsoft Windows operating system to the point that Microsoft's business model was threatened. Gates took it seriously and started the "Trustworthy Computing" initiative and began to get a handle on the size of the problem, eventually turning the tide, or at least making it manageable. We now live with the aftermath: Patch Tuesday. You don't even notice since it takes place without your involvement.
The final chapters of the book deal with the social impacts of hacking in which a generation of amateurs gained social standing and credibility among their peers for creating the cleverest hacks, eventually leading to a competitive environment, cresting in the phenomenon of "stunt hacking" in which malefactors attempt to hack any networked device that can be hacked. The more obscure, the better. A willing press, poorly versed in the technical aspects of the activity, breathed life into the phenomenon by credulously accepting the self-promotional claims of these hackers, leading the public to believe that every electronic device in their lives was at risk--from airliners to pacemakers.
February 2, 2023
This book was quite a surprise. First, it is quite accessible and could be read by somebody with intermediate knowledge of IT without issues. Second, it presents a balanced and very critical view of the evolution of cybersecurity, which does acknowledge accomplishments, but focuses much more on evaluating the pernicious elements of the industry. To those not familiar with this type of literature: this is not exactly common. The usual is to go through pages and pages of how incredible the founding fathers of the field are and how unique their insights were, how the world would not be the same without them, and so on. Well, not here. Third and last, the author uses a lot of literature from outside of IT to substantiate his arguments, which is refreshing. Overall, I really recommend this book to anybody interested in the subject.
May 18, 2022
Really good early history of infosec, ok but not great more recent (post 2000?) history and current state of infosec. The mainframe, Orange Book/rainbow book/etc. era was well covered, although it might have been better with more context for how the systems were used, non-computing systems they were replacing, etc. Probably a broad enough topic that the ideal book would be focused on a specific era, more deeply covered, as part of a series?
The author was generally correct that most computer security measures have been ineffective, badly measured, etc. Exactly why that is would probably again be better addressed in detail. Not totally on-board with his proposed solutions.
The author was generally correct that most computer security measures have been ineffective, badly measured, etc. Exactly why that is would probably again be better addressed in detail. Not totally on-board with his proposed solutions.
September 19, 2021
A good look at not only some issues in information security but what was done in the past and how we've arrived here. This is a different view which is much more academic in nature then some of the more recent information security books which are written to be more like a long magazine article. Neither style is right or wrong but I appreciated this was written correctly for the audience, an info sec professional.
November 7, 2022
The attempted whitewashing of Microsoft's security record is simply laughable. This is understandable, the author might have some conflict of interest there or misguided loyalty. What makes this book really offensive is the author's advocating against security research practice of hunting for vulnerabilities, claiming the head in sand approach "might" be somehow better for users. At this point I will assume that the author literally works for Microsoft.
March 7, 2022
This was excellent right up until the last quarter where it totally lost me with all its normie-ness and complete misunderstanding of how bug bounties and white hat hacking inform and affect digital society.
January 24, 2022
Must read for any IT security professional.
March 15, 2022
Great book with many interesting factoids plus some reflection on the current state of the security industry.
November 2, 2021
Gene Spafford, Professor of Computer Science at Purdue University, observed that “the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.” In A Vulnerable System: The History of Information Security in the Computer Age (Cornell University Press), author Andrew Stewart show astute Spafford’s observation is. And for anyone who has been in information security for a while, the book is a walk down memory lane.
I saw the manuscript as a reader about two years ago and noted that this book provides an excellent blend of history, business, and technical understanding. It is a great read for anyone involved in information security and is a compelling book from start to finish.
But more than just being a history of computer security from ENIAC until today (which is, in fact, a story that has been told many times already), Stewart is a good historian and gives the reader a comprehensive understanding of people, events, and contexts from the last 70 years of information security.
If information security is a child, then as Stewart writes, the child was advanced from grade to grade while having serious learning difficulties. No teacher wanted to take responsibility, so the child was punted from school to school, advanced throughout. The child then graduates, and while wearing a cap and gown, is barely literate. That, my friends, is something like information security today.
If security were just about firewalls and encryption, things would be relatively easy to secure (or so we are led to believe). However, with people involved and people who are subject to irrational whims (the topic which won Kahneman and almost Tversky a Nobel Prize in economics), attackers gain their advantage. Stewart writes that revelations about the psychology and economics of security are, in fact, damaging to the commercial security industry, which wants people to believe that the only thing between them and security is an expensive piece of hardware or software.
While it may seem like Stewart is simply moaning about the current state of security - the truth is that he has his hand on the pulse of information security. He provides countless examples of where the industry has failed. An interesting example is where he writes of stunt hacking, which is where hacking is done for the solitary purpose of getting attention and promoting the person or employer. The danger of stunt hacking is that it is a distraction from serious security issues.
One of the more prominent stunt hacking episodes was at Black Hat 2019, where researchers claimed to be able to take over a Boeing airplane. While the security researcher dropped a bombshell that the Boeing Dreamliner is susceptible to hacking, I wrote (here) that there was, in truth, no real cause for concern.
While the history of information security does include a lot of doom and gloom, which the book shows, Stewart does write what is needed to turn this curve, he writes that there needs to be a concerted effort to understand better how complexity affects information security and how that complexity can be managed.
Stewart closes with the observation that after the Napoleonic Wars, Prussian general Carl von Clausewitz wrote that an effective military strategy requires insight into the great mass of phenomena and of their relationships, then it must be left free to rise into the higher realm of action. This is the case also with information security, where the substantial must replace the superficial, the essential must replace the ephemeral.
You do not have to be a CISSP to appreciate this book. Stewart has written an important book where he articulates the history of information security in a non-technical, readable, and engaging format. Those who cannot remember the past are condemned to repeat it, both in world history and information security. The book details the past of how we got here. Only by understanding that can the industry truly put security in place. For those that take security seriously or consider their privacy necessary, A Vulnerable System is a book that must be read.
I saw the manuscript as a reader about two years ago and noted that this book provides an excellent blend of history, business, and technical understanding. It is a great read for anyone involved in information security and is a compelling book from start to finish.
But more than just being a history of computer security from ENIAC until today (which is, in fact, a story that has been told many times already), Stewart is a good historian and gives the reader a comprehensive understanding of people, events, and contexts from the last 70 years of information security.
If information security is a child, then as Stewart writes, the child was advanced from grade to grade while having serious learning difficulties. No teacher wanted to take responsibility, so the child was punted from school to school, advanced throughout. The child then graduates, and while wearing a cap and gown, is barely literate. That, my friends, is something like information security today.
If security were just about firewalls and encryption, things would be relatively easy to secure (or so we are led to believe). However, with people involved and people who are subject to irrational whims (the topic which won Kahneman and almost Tversky a Nobel Prize in economics), attackers gain their advantage. Stewart writes that revelations about the psychology and economics of security are, in fact, damaging to the commercial security industry, which wants people to believe that the only thing between them and security is an expensive piece of hardware or software.
While it may seem like Stewart is simply moaning about the current state of security - the truth is that he has his hand on the pulse of information security. He provides countless examples of where the industry has failed. An interesting example is where he writes of stunt hacking, which is where hacking is done for the solitary purpose of getting attention and promoting the person or employer. The danger of stunt hacking is that it is a distraction from serious security issues.
One of the more prominent stunt hacking episodes was at Black Hat 2019, where researchers claimed to be able to take over a Boeing airplane. While the security researcher dropped a bombshell that the Boeing Dreamliner is susceptible to hacking, I wrote (here) that there was, in truth, no real cause for concern.
While the history of information security does include a lot of doom and gloom, which the book shows, Stewart does write what is needed to turn this curve, he writes that there needs to be a concerted effort to understand better how complexity affects information security and how that complexity can be managed.
Stewart closes with the observation that after the Napoleonic Wars, Prussian general Carl von Clausewitz wrote that an effective military strategy requires insight into the great mass of phenomena and of their relationships, then it must be left free to rise into the higher realm of action. This is the case also with information security, where the substantial must replace the superficial, the essential must replace the ephemeral.
You do not have to be a CISSP to appreciate this book. Stewart has written an important book where he articulates the history of information security in a non-technical, readable, and engaging format. Those who cannot remember the past are condemned to repeat it, both in world history and information security. The book details the past of how we got here. Only by understanding that can the industry truly put security in place. For those that take security seriously or consider their privacy necessary, A Vulnerable System is a book that must be read.
Displaying 1 - 11 of 11 reviews