Tech books that I’ve found interesting over time

Bookshelf

I spend most of my free time reading.

(While it’s true that 2020 has been a bit of an outlier as the pandemic has wrecked my attention span, I still dedicate a fair portion of my free time to reading.)

I read mostly science fiction, but also stuff about information security, the history of modern technology and the societal impacts of tech innovations.

While sorting out a new bookshelf I decided to make a selection of those books that shaped in some way or form how I think about technology, information security, etc. It is not, by any means, a complete and exhaustive reading list on the topic, just the books that I found interesting and which I happen to own.

Maybe it is interesting to anyone with similar interests as myself (tautological as it sounds).

ANCIENT (TECH) HISTORY

Some books on the development of the digital world, from early musings on computing and control systems to wartime code-breaking to the development of the digital computer and the internet.

• “Cybernetics”, Norbert Wiener. As one of the most esteemed scholars in US history, Wiener made huge contributions to the fields of electric engineering and control systems, robotics, computer control, information processing and even machine learning. He is considered the father of cybernetics, through the application of the feedback principle from electronics and its application to mechanical, social and cognitive systems. Don’t expect an easy read, though :)
• “The secrets of Station X: How the Bletchley Park codebreakers helped win the war”, Michael Smith. The story of Bletchley Park (“Station X”), the breaking of the German Enigma encryption machine, and it’s implication in several Allied operations during World War II.
• “GCHQ”, Richard J. Aldrich. Historical account on how Bletchley Park wartime code-breaking operation was the origin of the British secretive “Government Communication Headquarters” (GCHQ) organization.
• “Turing´s cathedral: The origins of the digital universe”, George Dyson. A historical account on the development of the digital computer in the years following World War II in an attempt to realize Turing’s vision of an Universal Machine.
• “Where wizards stay up late”, Katie Hafner and Matthew Lyon. Fascinating account on the origins of the internet in the 60’s, during the Cold Ward, from BBN and ARPANET by some acoustics engineers.

INTEL, COUNTERINTEL, STRATEGY AND TACTICS

Some interesting reading on strategy, tactics and intel/counterintel as applied to the cyber-security domain and operations.

• “On war”, Carl von Clausewitz. One of the first attempts to systematize (military) conflict, strategy, tactics. Some concepts like “the fog of war”, friction, strategy as an “art” vs tactics as “science”, and the unpredictability of conflict ad the differences between “ideal war” and “real war” are discussed here. Anyone interested in strategy, cyber-security operations and/or military history should read this.
• “Critical thinking and intelligence analysis”, David T. Moore. The importance of critical thinking and a framework to apply critical thinking to intelligence analysis from a former technical director at the NSA.
• “Counterintelligence theory and practice”, Hank Prunckun. Good discussion of the grounded theory underpinnings and the practical aspects of a successful counter-intelligence operation. Very relevant to cyber-security operations.
• “Reverse deception: Organized cyber threat counter-exploitation”, Sean Bodmer, Max Kilger and Gregory Carpenter. Very practical and hands-on (hunt, disrupt, expose, evict) guide on how to go after advanced threat actors in your environment with special focus on deception and counter-intel tactics.
• “Silence on the wire”, Michal Zalewski. I am not sure in which section should this book go. It is focused on passive reconnaissance, by explaining how stuff works and how things communicate, and building up from there. It is eye opening and beautiful.

TRUE (CYBER) CRIME

Good hackers, bad hackers, government-sponsored trolls, disinformation campaigns, cyber-warfare and where all this is going.

• “The cuckoo´s egg”, Cliff Stoll. Cliff was an astronomer/sysadmin in 1989 when a tiny accounting error hinted at the presence of a hacker in his systems, and he went into a one-man “threat hunt” that exposed a cyber-espionage operation involving the CIA, KGB, drugs and money. Great read.
• “Hacker, hoaxer, whistleblower, spy”, Gabriella Coleman. Gabriella is an anthropologist that has put together this great account of the “many faces of Anonymous” and the different subcultures around it.
• “Countdown to Zero Day”, Kim Zetter. The story of Stuxnet, it’s development, spread, discovery and analysis, and the origins of the first “cyber weapon” against the Iranian nuclear fuel enrichment program.
• “Sandworm”, Andy Greenberg. An account of another “cyber weapon”, NotPetya, which had devastating consequences around the world, and the story of the Russian military intelligence agency behind it.
• “This is not propaganda: Adventures in the war against reality”, Peter Pomerantsev. Influence operations, psyops, bots and sock-puppets, government-sponsored trolls, online harassment of dissidents. A distressing description of the attempts to disorient public opinion and undermine our sense of truth and democracy.
• “There will be cyberwar”, Richard Stiennon. Good discussion on the asymmetry and different speeds between development of offensive and defensive capabilities at a national level, and how the defensive capabilities always lag behind, setting the scenario for cyber war.

SECURITY ENGINEERING

Recommended reading for anyone really into security architecture or engineering. Very technical, not for the faint of heart.

• “Security Engineering”, Ross Anderson. Excellent book, now into it’s third edition (I actually own both the first and the second editions). I would say this is the Bible of security engineering, together with the next one I mention by Gutmann. It covers all aspects, from the psychology of security to the economics aspects. From nuclear missile security to design for tamper-resistant hardware. And you can find it for free at Ross’ website here https://www.cl.cam.ac.uk/~rja14/book.html
• “Engineering Security”, Peter Gutmann. Together with Anderson’s book, the best book on security engineering. It covers the psychology, threats, design, usability and user experience and passwords and cryptography, from one of the fathers of modern cryptography. This book is only available online for free at https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf
• “Applied Cryptography” and “Cryptography Engineering”, Bruce Schneier and Niels Ferguson. The first one is the most definitive reference on cryptography building blocks, algorithms, techniques and protocols. The second one expands on the topic, with even more technical detail, while acknowledging that cryptography is not “sort of magic security dust” that can be sprinkled over a problem to make security issues go away. Both mandatory reference material when getting serious about cryptography.
• “Threat modeling: Designing for security”, Adam Shostack. The reference in threat modeling throughout the Secure Development Lifecycle (SDLC), the STRIDE methodology, attack trees, strategies around threat modeling, etc.
• “Securing systems: Applied security architecture and threat models”, Brook Schoenfield. Another great reference on security architecture, threat models, defense in depth, assessments, principles and patterns.

REFLECTIONS ON INFOSEC

Some interesting books on information security in general, not technical in nature.

• “Beyond Fear”, “Secrets and Lies”, “Liars and Outliers”, “Schneier on Security” and “Click here to kill everybody”, Bruce Schneier. Yes, I like Schneier, nobody like him to discuss the deeper issues of security and trust, what cryptography can or cannot do for you, security failures and the price we pay, and the way forward if we want to avert impending doom. The fact that I have several of the books signed (signed with a cryptogram!) by Schneier himself has no bearing on my selection :)
• “The Art of Deception”, Kevin Mitnick. The “world’s most infamous hacker” on exploiting the human side of information security, and how skillful social engineering can give any technical security control a run for its money. BEC (Business Email Compromise) or the “CEO scam” is one of the most lucrative areas of cyber-crime, so maybe Mitnick was onto something when he wrote that almost 20 years ago.
• “Beautiful Security”, Andy Oram and John Viega (editors). This is really a collection of 16 essays by industry experts (people like “Mudge”, Philip Zimmermann of PGP fame or Anton Chuvakin) describing how they think, how they approach problems creatively, and useful insight on the industry and the threat landscape.

MATHS, STATS AND VISUALIZATION

From risk analysis done right, to complex systems to advanced visualization techniques. Not all of these books are security-specific, but lessons can be learned from all of them.

• “The Black Swan”, Nassim Nicholas Taleb. This book is a classic on probability, luck, risk and the high impact of low probability events, whether it is economy melt-downs or devastating cyber incidents.
• “Complexity: A guided tour”, Melanie Mitchell. From insects to societies to complex technology, emergent and adaptive behaviors, self-organization, etc. Good introduction to the science of complex systems.
• “Risk: The science and politics of fear”, Dan Gardner. Good book on risk and perception of risk, probabilities, psychology and biases.
• “Data-Driven Security”, Jay Jacobs and Bob Budis. The need for evidence-based data-driven information security practice seems self evident, and the opposite is to fall into magical thinking and “cargo cult” behaviors. This book contains several examples of data-driven security practices.
• “How to measure anything in cybersecurity risk”, Douglas Hubbard. This book is a declaration of war on the “qualitative” methods of risk analysis, and how many of the risk assessment techniques popular in the field actually do more harm than good. It describes good techniques for “quantitative” methods, even where you think there is no data available.
• “Visualize this”, Nathan Yau. This book is just beautiful. How do you tell a story with data, including examples, step-by-step instructions and useful tools.
• “Security Data Visualization”, Greg Conti. Similar to the previous book. Good techniques and examples on visualization of security-specific and network information.

SOCIETAL IMPACT

This list contains books on the impact and dangers of technology, be it disruptive transformation, technological solutionism, the societal impact of algorithms and machine learning, to runaway AI destroying the world as we know it.

• “The net delusion: The dark side of internet freedom” and “To save everything, click here”, Evgeny Morozov. A contrarian view of technology progress, discussing surveillance capitalism, use of internet tools and “big data” for oppression by repressive regimes, and the follies of technological solutionism.
• “Does IT matter?” and “The big switch”, Nicholas Carr. Is IT still a “competitive advantage”? Or does the utility-model of IT (as seen in 2004) mean that every organization has the same access to tools and it no longer “matters” when competing in the market? What are the implications of the cloud and the utility computing on society?
• “Weapons of math destruction”, Cathy O’Neil. Detailed analysis on how “big data”, “machine learning” and opaque, unregulated and uncontestable algorithms are threatening our lives, society and democracy itself.
• “Here be dragons”, Olle Häggström. What does technological progress and specifically Artificial Intelligence mean to the long-term survival of the human race?

OTHER

I want to finish with two classics. The kind of book that sends your mind in unexpected paths and leave an imprint when you read them when you are a young geek :)

• “Gödel, Escher, Bach: An Eternal Golden Braid”, Douglas Hofstadter. A long and winding, but still enthralling, discussion of recursivity, undecidability, algorithms in art and music. Must read.
• “The Emperor’s New Mind: Concerning computers, minds and the laws of Physics”, Roger Penrose. Another exhaustive treaty on mathematics, cognitive neuroscience, theory of mind, language and artificial intelligence, and how “strong AI” is fundamentally impossible. Controversial to say the least.

That’s it, that is the list.

There are many omissions. Readers (if you got this far), you are encouraged to post your own comments or suggestions.