Books read in 2015

Not much blogging going on here lately, but here's my annual list of books read for 2015:

• George A. Akerlof and Robert J. Shiller, Phishing for Phools: The Economics of Manipulation & Deception
• Jeffrey S Bardin, The Illusion of Due Diligence: Notes from the CISO Underground
• Bill Browder, Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice
• Ron Chernow, Alexander Hamilton
• Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
• Karen Dawisha, Putin's Kleptocracy: Who Owns Russia?
• Laura DeNardis, The Global War for Internet Governance
• Daniel C. Dennett and Linda LaScola, Caught in the Pulpit: Leaving Belief Behind
• Mary Douglas and Aaron Wildavsky, Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers
• William J. Drake and Monroe Price, editors, Internet Governance: The NETmundial Roadmap
• Jon Friedman and Mark Bouchard, Definitive Guide to Cyber Threat Intelligence
• Marc Goodman, Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It
• Marc Hallet, A Critical Appraisal of George Adamski: The Man Who Spoke to the Space Brothers
• Shane Harris, @War: The Rise of the Military-Internet Complex
• Peter T. Leeson, The Invisible Hook: The Hidden Economics of Pirates
• Reed Massengill, Becoming American Express: 150 Years of Reinvention and Customer Service
• James Andrew Miller and Tom Shales, Live From New York: The Complete, Uncensored History of Saturday Night Live, as Told By Its Stars, Writers, and Guests (two new chapters)
• David T. Moore, Critical Thinking and Intelligence Analysis
• Richard E. Nisbett, Mindware: Tools for Smart Thinking
• Tony Ortega, The Unbreakable Miss Lovely: How the Church of Scientology Tried to Destroy Paulette Cooper
• Whitney Phillips, This is Why We Can't Have Nice Things: Mapping the Relationship Between Online Trolling and Mainstream Culture
• Joseph M. Reagle, Jr., Reading the Comments: Likers, Haters, and Manipulators at the Bottom of the Web
• Jon Ronson, Lost at Sea: The Jon Ronson Mysteries
• Jon Ronson, So You've Been Publicly Shamed
• Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
• P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know
• David Skarbek, The Social Order of the Underworld: How Prison Gangs Govern the American Penal System
• Andrei Soldatov and Irina Borogan, The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries
• Philip E. Tetlock and Dan Gardner, Superforecasting: The Art and Science of Prediction
• Richard H. Thaler, Misbehaving: The Making of Behavioral Economics

I made progress on a few other books (first two last year,  next four from 2014, next three from 2013, last two still not finished from 2012--I have trouble with very long nonfiction e-books):

• Roger Z. George and James B. Bruce, editors, Analyzing Intelligence: Origins, Obstacles, and Innovations
• John Searle, Making the Social World
• Peter Gutmann, Engineering Security
• Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt
• Massimo Pigliucci and Maarten Boudry, Philosophy of Pseudoscience: Reconsidering the Demarcation Problem
• Steven Pinker, The Sense of Style: The Thinking Person's Guide to Writing in the 21st Century
• Richard Bejtlich, The Practice of Network Security Monitoring
• James Grimmelmann, Internet Law: Cases & Problems (v2; v3 is out now)
• Douglas Hofstadter and Emmanuel Sander, Surfaces and Essences: Analogy as the Fuel and Fire of Thinking
• Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
• Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications

Top ten for 2015:  Browder, Chernow, Coleman, Ronson (Shamed), Schneier, Phillips, Nisbett, Ortega, Miller and Shales, Thaler. I bought and read Bardin's book because Richard Bejtlich identified it as a "train wreck," and it was.

(Previously: 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.)

A few thoughts on OpenBSD 5.8

I've been using OpenBSD since way back at release 2.3 in 1998, so I've gone through upgrades that took a fair amount of work due to incompatible changes, like the switch from ipf to pf for host firewalling or the change to ELF binaries. The upgrade from 5.7 to 5.8 was a pretty smooth and easy one, for the most part. The two most painful changes for me were the replacement of sudo with doas and the dropping of support in the rc.conf for the pf_rules variable.  While sudo is still available as a package, I like the idea of reducing attack surface with a simpler program, so I made the switch. The two things I miss most about sudo are the ability to authenticate for a period of time and the ability to have a single config file across a whole set of servers. The former I'm just living with, the latter I've adjusted to by having a single config file that has lines commented out depending on which server it's on. I did have one moment of concern about the quality of doas when it incorrectly reported the line number on which I had a syntax error in the config file--fortunately, this was just a failure to increment the line count on continuation lines (ending with a "\") which is fixed in the -current release.

The removal of the pf_rules variable support from rc.conf was a bigger issue--I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be. This wasn't the first time an incompatible change decreased my level of security--the removal of tcpwrappers support from SSH was another. I used to use a combination of pf rules and hosts.allow as additional layers of protection on my SSH access, and had a set of tools that allowed me to easily add IP addresses to or remove them from my hosts.allow files. This would have been a layer of defense still in place with the loss of my pf rules, had it still been in existence. Fortunately, I also have SSH on a non-standard port and only allow SSH key logins, not user/password logins, and most of my systems can't be reached on any port without first making a VPN connection, which requires two-factor authentication.

A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments. My "reportnew" log monitoring tool has a feature that allows you to be notified if files that are expected to change on some periodic schedule do not change, and that would be more appropriate than getting daily notifications that yes, the autotrust anchor file has been updated yet again. But what would really be ideal here would be a check that the non-comment components have not changed. (Others have also complained about this.)

A final issue I've run into with OpenBSD 5.8 is not a new issue, but it's one that still hasn't been fixed with pf. That is that pf logs certain traffic (IGMP in particular) when it matches a rule that does not call for logging. This appears to be the same issue that was fixed earlier this year in pfsense, which is derived from an older fork of pf.