
Cybersecurity Humble Book Bundle - ranit
https://www.humblebundle.com/books/cybersecurity-wiley?mcID=102:5969310af4ab4ee605cf8d98:ot:57628d3c0dca63f1bd6cacd2:1&utm_source=Humble+Bundle+Newsletter&utm_medium=email&utm_campaign=2017_07_17_wiley_bookbundle&linkID=&utm_content=cta_button
======
dsacco
So, I've read most of these. Here's a tour of what is definitely useful and
what you should probably avoid.

_________________

Do Read:

1\. _The Web Application Hacker 's Handbook_ \- It's beginning to show its
age, but this is still absolutely the first book I'd point anyone to for
learning practical application security.

2\. _Practical Reverse Engineering_ \- Yep, this is great. As the title
implies, it's a good practical guide and will teach many of the "heavy" skills
instead of just a platform-specific book targeted to something like iOS. Maybe
supplement with a tool-specific book like _The IDA Pro Book._

3\. _Security Engineering_ \- You can probably read either this _or_ _The Art
of Software Security Assessment._ Both of these are old books, but the core
principles are timeless. You absolutely should read one of these, because they
are like _The Art of Computer Programming_ for security. Everyone says they
have read them, they definitely should read them, and it's evident that almost
no one has actually read them.

4\. _Shellcoder 's Handbook_ \- If exploit development if your thing, this
will be useful. Use it as a follow-on from a good reverse engineering book.

5\. _Cryptography Engineering_ \- The first and only book you'll really need
to understand how cryptography works if you're a developer. If you want to
make cryptography a career, you'll need more; this is still the first book
basically anyone should pick up to understand a wide breadth of modern crypto.

_________________

You Can Skip:

1\. _Social Engineering: The Art of Human Hacking_ \- It was okay. I am biased
against books that don't have a great deal of technical depth. You can learn a
lot of this book by reading online resources and by honestly having common
sense. A lot of this book is infosec porn, i.e. "Wow I can't believe that
happened." It's not a _bad_ book, per se, it's just not particularly helpful
for a lot of technical security. If it interests you, read it; if it doesn't,
skip it.

2\. _The Art of Memory Forensics_ \- Instead of reading this, consider reading
_The Art of Software Security Assessment_ (a more rigorous coverage) or
_Practical Malware Analysis._

3\. _The Art of Deception_ \- See above for _Social Engineering._

4\. _Applied Cryptography_ \- _Cryptography Engineering_ supersedes this and
makes it obsolete, full stop.

_________________

What's Not Listed That You Should Consider:

1\. _Gray Hat Python_ \- In which you are taught to write debuggers, a skill
which is a rite of passage for reverse engineering and much of blackbox
security analysis.

2\. _The Art of Software Security Assessment_ \- In which you are taught to
find CVEs in rigorous depth. Supplement with resources from the 2010s era.

3\. _The IDA Pro Book_ \- If you do any significant amount of reverse
engineering, you will most likely use IDA Pro (although tools like Hopper are
maturing fast). This is the book you'll want to pick up after getting your IDA
Pro license.

4\. _Practical Malware Analysis_ \- Probably the best single book on malware
analysis outside of dedicated reverse engineering manuals. This one will take
you about as far as any book reasonably can; beyond that you'll need to
practice and read walkthroughs from e.g. The Project Zero team and HackerOne
Internet Bug Bounty reports.

5\. _The Tangled Web_ \- Written by Michal Zalewski, Director of Security at
Google and author of afl-fuzz. This is the book to read alongside _The Web
Application Hacker 's Handbook._ Unlike many of the other books listed here it
is a practical _defensive_ book, and it's very actionable. Web developers who
want to protect their applications without learning enough to become security
consultants should start here.

6\. _The Mobile Application Hacker 's Handbook_ \- The book you'll read after
_The Web Application Hacker 's Handbook_ to learn about the application
security nuances of iOS and Android as opposed to web applications.

~~~
jdasinger
How would you suggest approaching these books in order to translate the
"reading" into practical/demonstrable skills?

For instance, I'm currently working through _The Web Application Hacker 's
Handbook_ and also trying things out with OWASP's Broken Web App VM's. I feel
like the book is covering a lot more than the broken web apps do, and the
broken webapps don't really give a ton of practice, although so far I've only
gotten into the "Training" webapps (Mutillidae, Webgoat, DVWA etc), so maybe
just digging into the "realistic" apps more will expose me to more of what's
in the book. Just looking for some guidance on how to approach the reading-vs-
doing divide.

Thanks for the advice.

~~~
dsacco
I'll echo what the sibling comment said about CTFs. Those are a great way of
drilling the theory in the same way you need to drill problems to really
cement mathematical maturity.

Practically speaking, read through each chapter and then try to find an
example of this vulnerability in an existing web application. Try bug bounties
as well to get a feel for where real world developers make mistakes. A lot of
information security is learning to challenge assumptions.

------
EnFinlay
Is there a legal / not crazy expensive way to buy humble bundle books and get
them printed on standard 8.5x11, bound in a series of binders / duotangs /
twine? I'm going to buy the bundle, but greatly prefer physical pages to
reading on a screen.

~~~
camiller
Legal: No. These are copyrighted works after all.

That said, If you have a laser printer it is probably cheapest to print it
yourself. Buy paper that already has the three holes in it for the binder.

Still probably near the price of buying the actual books.

Edit: And if you still want to have there be a bit of a charity tie-in, the
Amazon smiles program smile.amazon.com has a lot of charitable organizations
to choose from.

~~~
TheQwerty
RE AmazonSmile: Be sure that the organization you wish to support is aware of
the program and actually registered with Amazon to receive the funds.

The list of charities that Amazon shows are from GuideStar USA which has
compiled the information from the IRS, but this includes organizations which
may not have registered and thus may never receive the donations.

See the section "Charitable Organizations that Do Not Register" here:
[https://smile.amazon.com/gp/chpf/pd/ref=smi_se_saas_lpd_spd](https://smile.amazon.com/gp/chpf/pd/ref=smi_se_saas_lpd_spd)

~~~
ojbyrne
How do you know if your chosen organization is registered? Is there a list
somewhere?

~~~
TheQwerty
Good question!

The best way appears to be to pretend you want to register that organization
on Amazon's Org Central site[0] which shows which already registered. (An
example search for Child's Play[1].)

As a shopper I do not believe Amazon makes this abundantly clear when you're
selecting an organization. One thing to look for is the amount of information
shown about the organization, specifically the incorporation year, as those
that register have to fill out a profile.

According to the FAQ if a shopper selects an organization that is not
registered and makes an eligible purchase they will track the donation. If the
organization registers they'll get the donation, but if they have not after 2
years then Amazon will contact the shopper and give them 30 days to select a
new charity. (I'm not sure if this then resets the 2 year clock or not.) If
the shopper does not select a new organization then Amazon reallocates the
donation across the registered organizations.

In any case the only way to be 100% sure is to inquire with the organization.

[0]: [https://org.amazon.com/](https://org.amazon.com/)

[1]:
[https://org.amazon.com/npo/search?q=Child%27s%20Play&p=1](https://org.amazon.com/npo/search?q=Child%27s%20Play&p=1)

------
Tepix
I use 2FA on Humble Bundle. In order to log in, I have to solve several
captchas. I then have to solve more to buy stuff.

All in all I have to solve the captcha 5 times or so, each time involves
marking multiple images.

What sense does this make?

Either they trust the captchas (then they only need one), or they don't (then
they should remove them). I've complained about this to them in the past but
they haven't changed it.

~~~
lqdc13
You need a captcha to log in so that it's hard to make multiple fake accounts.
You need captchas to buy stuff because otherwise one could make all accounts
manually and then use them to quickly buy products to spend some bank account
before it's banned.

I think each smallish site would benefit from designing their own captchas
because that way the effort to solve for machines would be harder than solving
the Google captchas. The effort to solve for humans would be a lot lower. This
is perhaps one of the few areas where rolling your own security solution is
beneficial by virtue of it being different.

~~~
kbenson
I think perhaps you underestimate how hard it is to make a good captcha, that
is one that is hard to solve programatically but not too hard to solve for a
real person (this second part is often overlooked as easy). I suspect you'll
find a lot of the prior techniques work well when applied to someone's hand-
rolled version, given that coming up with something unique enough to not have
prior work put into solving it (and have enough variation to make learning the
entire data-set infeasible) is likely much harder than you think.

~~~
lqdc13
I don't know.. It seems stupid easy to me. Try something like "Type the third
and fifth letters of the word elephant into the box below" with instagram
filter applied. A bunch of variations for the first part like "the following
word" and "the word in parenthesis".

Basically, I can't think of a way to come up with something ez that defeats
it. You would have to train a neural net specifically on these images because
normally neural nets are bad at instagram filter removal unless trained on it.
Plus you can slow down/ban/mess with requests based on cookies.

There are basically infinite solutions. Would take a couple of days to
implement and would be really fun. I guarantee you: if your site gets maybe
30k visitors a week, nobody would bother spending a month cracking your
captcha when there are much easier targets out there.

Finally, you can make it super annoying to actually find where the image is by
converting to svg and messing with html structure/compose image in JS. Now
they're going to be forced to run a headless browser, take screenshots of the
captcha page and finding the image within the page.

If they take the pay-per-captcha approach, I don't think anti-captcha and the
like would make it too ez. Still days of work to set up something really
brittle.

~~~
kbenson
> Try something like "Type the third and fifth letters of the word elephant
> into the box below" with instagram filter applied.

That was a common captcha technique a decade ago. It didn't last.

> Basically, I can't think of a way to come up with something ez that defeats
> it.

You're mistaking your inexperience with the field and its methods for
difficulty in solutions.

> Finally, you can make it super annoying to actually find where the image is
> by converting to svg and messing with html structure/compose image in JS.

This isn't hard to defeat. SVG is really no harder than PNG or JPEG to deal
with, and if you are programatically altering it, it's trivial to figure out
the purpose of the JS and re-implement it, and pass in whatever randomized
variables change it. Or just use node, and scrape it from the page and run it
as delivered.

> Now they're going to be forced to run a headless browser, take screenshots
> of the captcha page and finding the image within the page.

That's trivial. Far more trivial now than it was in the past, actually.
There's plenty of systems around to run headless browsers. Some are to ease
testing for developers, some are specifically designed for and marketed to
people that want to do things just like this. Worst case, you use electron and
make your own browser to do it.

------
mr_overalls
Schneier's "Applied Cryptography" by itself justifies the $15 bundle, IMHO.
This is a great deal.

~~~
chubot
Mandatory:
[https://www.schneier.com/blog/archives/2009/09/the_cult_of_s...](https://www.schneier.com/blog/archives/2009/09/the_cult_of_sch.html)

 _But in the introduction to Bruce Schneier 's book, Practical Cryptography,
he himself says that the world is filled with broken systems built from his
earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying
the problem._

[https://blog.cryptographyengineering.com/2011/11/07/in-
defen...](https://blog.cryptographyengineering.com/2011/11/07/in-defense-of-
applied-cryptography/)

~~~
mr_overalls
As someone learning crypto (and slowly joining the Cult of Schneier), this is
a valuable caution. Thank you!

------
dronemallone
Security Engineering is free on the author's website :)
[http://www.cl.cam.ac.uk/~rja14/book.html](http://www.cl.cam.ac.uk/~rja14/book.html)

~~~
_coldfire
Shhh, plenty of humble books are easily found, but they do good work and
provide quality content.

------
kirian
I find this ironic this offering - "Bitcoin payments have been disabled for
the Humble Book Bundle"

------
twoquestions
Great, now there's another collection of books which I'll want to read which
I'll feel bad about missing the deal for, then kick myself for never actually
reading them in-depth.

I think I've bought 50 books from Humble Bundle (spending about $1/book), but
I've only cracked open a few of them.

Also thank you dsacco for the recommendations!

------
znpy
Remember to choose a charity entity for your donation!

ProTip: entities like the FSF, the EFF, Wikimedia and many others can be
helped via the humble bundle!!

------
_coldfire
To download all books at once:
[https://gist.github.com/graymouser/a33fbb75f94f08af7e36](https://gist.github.com/graymouser/a33fbb75f94f08af7e36)

Improved *nix version further down the thread

Change "MOBI" to "PDF"/"EPUB" if desired

------
nonamechicken
I am interested in learning more about securing web servers (nginx, nodejs).
Is there a book in this bundle that could help me? If you know any good books,
please recommend me one.

~~~
dsacco
Read _The Tangled Web._ It's an excellent book for developers that covers
defensive tactics for securing web resources. The beauty is that it approaches
the subject with developers in mind, not developers looking to become
penetration testers (which is why I wouldn't recommend _The Web Application
Hacker 's Handbook_ for your use case).

~~~
lawnchair_larry
Which chapter(s) of The Tangled Web do you feel would benefit a web server
administrator? It is a great book, but it is almost entirely focused on
attacking _browsers_. It's not clear to me what changes someone might make to
their nginx configuration (for example) in light of the information provided
in the book.

~~~
dsacco
I didn't read that out of _The Tangled Web._ It did cover attacks, but it was
also a solid guide on shoring up defenses for developers.

To circle back to your question - nginx is fairly robust out of the box, but
_The Tangled Web_ will cover extra configuration steps. For example - how to
securely handle and serve files uploaded by users, including file naming
conventions.

Other best practices for configuring things like TLS and CORS will also be
covered, which are in the purview of any developer setting up a web server. My
interpretation of the book was that it covered attacks that are executed
through the browser (especially via user input) insofar as it's instructive
for developers to learn how to avoid them.

------
b100w11
Ironically the Malware Analysts cookbook epub seems to be infected by a
trojan. And the Web application hacker handbook also in epub by another one

~~~
weinzierl
My first thought was: "Not surprising for a book on malware, probably
triggered by an example in the book".

I uploaded the file to virustotal.com and malwr.com. VirusTotal has reports
from several scanners, so this is not just misreporting from a single scanner.
malwr.com opens the file in a sandbox and it says that it makes HTTP
connections and installs itself for autorun at Windows startup.

The Web Application Hacker's Handbook is reported by my local ClamAV 0.99.2
with current sigs but not by VirusTotal. malwr.com also reports HTTP
connections and autorun.

I uploaded several other EPUB files and none of them was reported to show such
behaviour.

Strange...

------
komali2
Fantastic, glad to have more reading to prep for defcon!

------
SadWebDeveloper
CEH v9 at 15 USD bundle-level is quite a joke, IMHO that should go to the 1
USD level but anyway as someone said Applied Cryptography might be the selling
point here.

Personally speaking the only books valuable in this bundle are "Practical
Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and
Obfuscation" and "Applied Cryptography: Protocols, Algorithms and Source Code
in C, 20th Anniversary Edition" the other are either quite outdated, too
oversimplified or script-kiddie level stuff.

~~~
ianai
What do you have against CEH v9?

~~~
PeterisP
Not the original commenter, but just skimmed that book - it's really, really
shallow.

It seems well written, and covers a lot of ground, but it's literally
introductory in the sense of "hey, ianai, let's introduce you to the concepts.
Concepts, this is ianai; ianai, these are the concepts, now wave them goodbye
and let's move on to the next topic".

Answering the test questions included (indicative of the actual certification
questions?) generally requires being _aware_ of all the concepts - it doesn't
require understanding how/why they work; it doesn't require being able to
apply them; simply knowing that they exist and how they're named.

It might be a good starter book from someone coming in to the domain, since it
would list all the key things that you'd need to know and introduce you to
most of the terminology, but in order to actually _learn_ any of these things
(and IMHO to be able to pass certification related to any one of these things)
you'd need to go _much_ more in depth than this book will allow.

~~~
ianai
Aye, good to know!

------
gergles
"Pay what you want^"

^As long as it's at least $15.

It bothers me that Humble Bundle has so heavily embraced this type of
marketing.

~~~
ineedtosleep
The first tier is not $15, it's $1.

~~~
Jackalopiate
and it's only $1 to prevent shills from buying in $0.1 increments and
defeating the whole purpose of the service.

~~~
holdontourarch
If I recall correctly, it's a holdover from the video game bundles they offer.
Initially you could just plug in $0.01 and get their bundles for a penny each.
They naturally would have trouble because of card processing fees, but they
allowed it until shortly after they started giving out steam keys for games. A
"security" mechanism that steam has in place is they don't allow users who
haven't purchased any games to participate in trading items/playing the steam
marketplace. Scammers were using humble bundles as a super cheap way of
getting tons of keys they could use on fresh accounts so they could be used to
scam items from legitimate steam users.

