
Recommended Security Reading - Garbage
http://dfir.org/?q=node/8/
======
wglb
Really a better list is by tom his own self:
[http://www.amazon.com/lm/R2EN4JTQOCHNBA/ref=cm_lm_pthnk_view...](http://www.amazon.com/lm/R2EN4JTQOCHNBA/ref=cm_lm_pthnk_view?ie=UTF8&lm_bb=)

My recommendations would add:

[http://www.amazon.com/The-Codebreakers-Comprehensive-
Communi...](http://www.amazon.com/The-Codebreakers-Comprehensive-
Communication-Internet/dp/0684831309) by David Kahn. Many stories of the whole
history of secret communications, with lessons in op-sec, not changing the
codes frequently enough, they can't possibly break this.

The John LaCarre
[http://en.wikipedia.org/wiki/John_le_Carr%C3%A9](http://en.wikipedia.org/wiki/John_le_Carr%C3%A9)
books. Do you remember the point where someone says to Smiley "There is no
reason to think that they tapped the phone" to which Smiley replies "There is
Every reason".

A must read, I tell my students in my Security Awareness training classes is
The Cuckoo's Egg [http://www.amazon.com/The-Cuckoos-Egg-Tracking-
Espionage/dp/...](http://www.amazon.com/The-Cuckoos-Egg-Tracking-
Espionage/dp/1416507787). Examples like default service accounts on Dec Vax
with username Field and password Service. Note when this is written and are
our habits really any better with junk hung on the internet? Concepts
pioneered in his book, as effective as they are, are not practiced. Note the
alarms going off, ignored, at a large retailer last thanksgiving. Or another
retailer recently, "Wait, what, we are being attacked? I didn't feel
anything".

Most vulnerable is the thinking "Well, they can't get our X because <thing we
did>". I have a matrix of attacker motives and what they are after. There
motives and targetsyou haven't thought of.

~~~
danielweber
I got Codebreakers over 15 years ago, and I _still_ haven't finished it. That
thing is incredibly dense.

I don't know if this is a recommendation, an anti-recommendation, or an
excuse.

~~~
ics
At the very least, it's a challenge to all the habitual readers on HN.

------
tptacek
Avoid _Applied Cryptography_. You probably won't get too much value from
_Introduction to Modern Cryptography_, either.

The only cryptography book I can recommend is _Cryptography Engineering_ (nee
_Practical Cryptography_, which is virtually identical).

You would be surprised how few professional security people know anything
about cryptography. It certainly isn't a qualifier.

I generally have a hard time with any book list for security people that
includes, for instance, _Design Patterns_.

~~~
privong
> I generally have a hard time with any book list for security people that
> includes, for instance, _Design Patterns_.

Would you please elaborate on this point? I am not familar with that book and
so do not know why its inclusion reflects poorly on the list (or the list
author's assessments).

~~~
tptacek
_Design Patterns_ is one of those books that nerds of a certain vintage all
have on their bookshelves. The lucky ones --- most of them! --- haven't read
it carefully. It's a book about software architecture, and, more specifically,
about turning C++ into Smalltalk.

It has absolutely no relevance to software security, even in terms of
background material about computer science. (It's actually of dubious
relevance to programmers in general). It's one of a couple books on this list
that give it the flavor of "I just typed up my bookshelf".

It doesn't help that the summary is "Required reading for any serious
programmer".

~~~
skue
I agree that _Design Patterns_ has little to do with security, but I think you
are being a bit hard on it from a programming perspective.

Certainly the book is tremendously useful for ObjC programmers because Apple
incorporated most of these patterns into Cocoa and Cocoa Touch. And as someone
who has done code review with junior Android developers, I wish that more devs
read it. When a security researcher refers to a MITM attack or SQL injection,
this higher level concepts mean something and it enables clearer conversation.
That's what design patterns provide to software developers.

~~~
mechanical_fish
_Apple incorporated most of these patterns into Cocoa and Cocoa Touch._

Great! That means I could just learn to work with Cocoa and Cocoa Touch and
skip the tedious exposition.

I would try to explain why I've never been able to pick up a patterns book
without eventually throwing it against a wall, and why I prefer to encounter
my patterns in the wild as I work on actual code, where I can poke and prod
them and watch how they behave in practice, but it's already been throughly
explained and even given a name, The Monad Tutorial Fallacy:

[http://byorgey.wordpress.com/2009/01/12/abstraction-
intuitio...](http://byorgey.wordpress.com/2009/01/12/abstraction-intuition-
and-the-monad-tutorial-fallacy/)

Sounds to me like your junior Android developers might be learning patterns
just fine: They trip over one in practice, and then they learn about it with
the help of their teacher. This is how learning works. There is no royal road
to geometry, and beginners don't become experts overnight just by reading the
right book.

~~~
tptacek
A better way to learn the GoF patterns is through Norvig's presentation on why
they aren't necessary in better programming languages.

Google for [Norvig patterns] or [Norvig GoF].

------
yeukhon
The Tangled Web is written by Michal Zalewski. The book is the updated version
of the famous Browser Handbook. [1] I still recommend looking at it if you
can't get The Tangled Web. IMO, this is the bible of web security today.

I really hope people can put together a web security book (and free) that is
up-to-date. To me, the Tangled Web does a pretty good job, but there are still
nuts and bolts missing or wordy.

OWASP wiki is okay-ish but I really hate digging the wiki just to find the
information is either incorrect or outdated.

[1]:
[https://code.google.com/p/browsersec/](https://code.google.com/p/browsersec/)

------
adamfeldman
The Hacker Crackdown by Bruce Sterling (cyberpunk author) is awesome. It's the
story of Captain Crunch and the rest of the phone phreaks in the late 80s and
early 90s, and some of the earliest prosecutions of hacking by the U.S.
federal government. Apparently they still throw a 2600 magazine party at
defcon....

[http://www.mit.edu/hacker/hacker.html](http://www.mit.edu/hacker/hacker.html)

------
0xeeeeeeee
Alright. If you are a web developer or you are a whatever who knows nothing
about security, please read resources that apply to whatever you do.

Learning security on a topic will make you so much better at what you do and
it will make you learn internal details AND best practices.

The things you build will be BETTER not just more secure

I'm really tired of reporting account hijacks and Remote code executions to
startups who look at me blankly when I explain what I did

------
gulfie
A quick review showed a lack of : Reflections on Trusting Trust Ken Thompson (
[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html) )

Any list without it, is a list without it.

~~~
atttrc
I only posted books to the list in order to keep it managable. If I tried
posting blogs, journal articles, etc. then the list would go on forever and be
impossible to ever finish.

------
jrapdx3
Whatever the list lacks, it is a very long list, let's admire its amazingly
broad and deeply substantial veins for us to mine and keep on learning about
for a long time. For those of us who have not yet reached the glory heights
climbing the learning curve appreciate the vast richness of the resources
while stumbling among them to find the best way to gain traction.

Here's a strategy, I'll organize a visit to our local technical bookstore, see
what new and used gems await me like a treasure hunt to secure such dead tree
scrolls.

------
NhanH
Let's say I'm interested in building an app that uses encryption: an end-to-
end email client and/ or server, a tarsnap competitor, or I just want to build
a privacy conscious app (end-to-end encryption of user data, basically). How
should I get started, would there be a reading list on cryptography besides
the security reading list?

(And yes, I know the best way is to get a PhD building the thing, but I'm
interested in learning nonetheless )

------
Kociub
Modern Operating Systems - The classic dinosaur book from Tanenbaum.

Wrong.

The dinosaur book is written by Silberschatz, Galvin and Gagne and is called
"Operating System Concepts"

~~~
s-phi-nl
FWIW, _Modern Operating Systems_ is the classic book by Tanenbaum. You are
correct, however, that my edition has a circus on the cover, not a dinosaur.

Seems like the author did not put too much care into this list.

~~~
atttrc
One typo in a huge list shows "not too much care"?

------
leephillips
How about _Practical Unix & Internet Security_ by Simson Garfinkel and Gene
Spafford. Too old?

[http://www.amazon.com/Practical-Unix-Internet-Security-
Editi...](http://www.amazon.com/Practical-Unix-Internet-Security-
Edition/dp/0596003234/ref=sr_1_1?ie=UTF8&qid=1409999358&sr=8-1&keywords=unix+security+spafford)

~~~
mvlad
I think the target audience is different.

For people _really_ interested in crypto there's obiously HAC [1].

For people interested in something that is updated each year: LNCS from DIMVA
and RAID are quite good for understanding the problems or future problems and
their solutions.

And of course phrack?

[1] [http://cacr.uwaterloo.ca/hac/](http://cacr.uwaterloo.ca/hac/)

------
Tiksi
Reverse Engineering for Beginners
([http://beginners.re/](http://beginners.re/)) was posted on here a while
back. Does anyone have any opinions on this?

Looks pretty well written from a quick look at it, but I'd love to hear some
thoughts before committing to reading through it.

------
deutronium
Can anyone recommend any good security books on hardware, for example covering
power analysis, glitching etc.?

------
Garbage
Some additional books are also mentioned at this StackExchange question -
[https://security.stackexchange.com/questions/2013/books-
abou...](https://security.stackexchange.com/questions/2013/books-about-
penetration-testing/3941#3941)

------
clarry
Chapter 6 (C language issues) from TAoSSA is available free of charge.

[http://ptgmedia.pearsoncmg.com/images/0321444426/samplechapt...](http://ptgmedia.pearsoncmg.com/images/0321444426/samplechapter/Dowd_ch06.pdf)

------
mjawa
A real hacker would tell you that all these books are really not needed. All
you need to know is in-and-out of any one os( say windows), and good
understanding of any one hardware architechture (say x86). Practical reverse
engineering\hacking is then about getting your hands dirty by doing things
using tools like IDA. What you really need is a very strong intuition and
understanding of software upside-down (from hardware instructions to source
code and vice versa). There is a reason why practical hacking\reverse
engineering is an ART.

~~~
forgottenpass
From the linked page:

 _A real hacker would tell you that all these books are really not needed._

Who's saying that these "need" to be read? Maybe the HN title has been changed
in the meantime, but this is entirely presented as a list of resources. You're
not going to argue against reading books as a component of education, are you?
And I don't even want to know where that "real hacker" stuff is coming from.
That word hasn't meant anything concrete for over a decade.

------
sarciszewski
Now if only this linked to EPUBs instead of Wiley/Amazon/etc, that'd be really
convenient :)

------
nmb
Besides lacking resources on social engineering, looks very good!

------
Rupersia
Thank you.

