Category: Nonfiction Books

Thursday night, I finished the first draft of Sudo Mastery. Today, I went through the manuscript, removed my known tics, discovered a few more tics that needed killing, cleaned up bits and pieces, and now have a work ready for technical review.

Which is where you lot come in. I’m looking for people with sudo experience to read the book and tell me where I’ve screwed up. My screw-ups usually come in two flavors:

1) I’m technically wrong.
2) I use something in a way other people don’t
3) I don’t include something important, because I’ve never used it.

The goal of Sudo Mastery is not to get 100% of my readers to 100% sudo expertise, but instead to get 90% of my readers everything they will need. The remaining 10% will get a solid grounding in sudo and pointers on solving their particularly pernicious edge cases. The idea is roughly similar to my other Mastery books or Cisco Routers for the Desperate.

The contents of Sudo Mastery are:

1. Introduction
2. sudo and sudoers
3. editing and testing sudoers
4. lists and aliases
5. options and defaults
6. shell escapes, editors, and sudoers policies
7. configuring sudo
8. user environments versus sudo
9. sudo for intrusion detection
10. sudoers distribution and complex policies
11. security policies in ldap
12. logging & debugging
13. authentication

Most of these chapters are short. And much of the writing needs rewriting. But there’s no point in rewriting until I know the content is technically correct.

If you know sudo, if you consider yourself a sudo master already, this is your chance to spread your wisdom. Read my general notes for tech reviewers, and email me at mwlucas at michael w lucas dotcom. (The W is vastly important… you might get a response from the domain without one, but it won’t be what you expected.)

I plan to send out manuscripts over the next week. I’m asking for people to return their comments on or before 5 October. I plan to revise the manuscript the week of 6 October and get it to the copyeditor before the 15th.

With anything resembling luck, the completed book will be available before Thanksgiving. I’d really like to have the holidays off this year.

Most computer books are badly written. The information in the book is fine (usually, hopefully), but the actual craft of writing is poor. They read like computer programs. This isn’t surprising, as most computer books are written by computer professionals. By the time you’re good enough at a computing topic to write a book about it, your brain automatically arranged things in machine-friendly order. That’s human nature. The downside of this, however, is that most computing books lack the things that make books interesting to human beings. We readers grit our teeth and plow through them because we need the information.

I’m pleased to say that Richard Bejtlich’s The Practice of Network Security Monitoring is not one of those books. The damn thing is actually readable. By normal people.

That’s a vague assertion. How about a metric? Season 6 of Burn Notice just hit Netflix streaming. I watched a few episodes Saturday. They ended on a tense cliffhanger, but I finally had to go to bed. Sunday, I finished reading this book before seeing how Westin and company got out of their fix. (Okay, that’s not exactly a metric, but it’s a good sign.)

Bejtlich graduated from Harvard and the Air Force Academy graduate. He led CIRT teams in the Air Force, built a security team at General Electric, and is now Chief Security Officer at Mandiant. He’s on television as an electronic security guru. And for the last decade-plus, he’s been beating the drum about intelligent attackers and the need for a holistic approach to security. When everybody else was going on about firewalls and antivirus and access controls and penetration testing, he wrote books like The Tao of Network Security Monitoring arguing that we need to think about network defense as an ongoing activity. He made absurd claims like “prevention eventually fails” and “there are smart people slowly breaking into your network,” lumping these into an overall practice called Network Security Monitoring.

Time has proved that he was right.

Books like Tao and Extrusion Detection had a lot about the business process of security. They had specific examples of how to respond to security incidents. Other books, like my own Network Flow Analysis, cover using a specific tool that’s usable in a NSM context. But there hasn’t been a good book on how to deploy real security monitoring in your organization, across all tools — and, just as importantly, how to get buy-in from the business side on this.

The Practice of Network Security Monitoring does all that and more.

The book starts with an overview of the NSM philosophy and practice, and what makes it different from the conventional “we respond to intrusions” perspective. He spends some time going over the Security Onion toolkit. For those readers not familiar with SO Security Onion is to security monitoring what PfSense is for firewalls — an integrated toolkit built atop a free operating system. You can build everything you need for NSM without Security Onion, but like PfSense, why bother?

Richard gives a brief overview of the various tools in SO, from Sguil to Bro to Snort to Xplico and on and on and on. While you can hook these tools together yourself so they operate more or less seamlessly, again, SO has done all the work for you.

The best part of the book, however, is where Bejtlich takes us through two security incidents. He uses various Security Onion tools to dissect the data from an intrusion response system alert. He backtracks both a client-side and a server-side intrusion, and shows how to accurately scope the intrusion. Was only one server broken into? What data was stolen? What action can you take in response?

What really makes this book work is that he humanizes the security events. Computing professionals think that their job is taking care of the machine. That’s incorrect. Their main job is to interface between human beings and the computer. Sometimes this takes the form of implementing a specification from a written document, or solving a bug, or figuring out why your SSL web site is running slowly. Maybe most of your professional skill lies in running the debugger. That’s fine, and your skill is admirable. But the reason you get paid is because you interact with other human beings.

Bejtlich pays attention to this human interface. The security incidents happen because people screw up. And they screw up in believable ways — I read the server compromise walkthrough and thought “This could be me.” (Actually, it probably has been me, I just didn’t know it.) Deploying network security monitoring takes hardware, which means you need money and staff. Bejtlich advises the reader on how to approach this conversation, using metrics that competent managers understand. His scenarios include discouragement and even fear. If you’ve ever worked in intrusion response, you know those emotions are very much a part of cleaning up.

But he shows you how to deal with those problems and the attendant emotions: with data.

He even demonstrates practical, real-world examples in how to get that data when the tools fail.

Humanizing a tech book is no easy task. Most authors fail, or don’t even try. But Bejtlich pulls it off. He applies “prevention eventually fails” to both the people and the software, and the result is both readable and useful.

Is this book perfect for me? No. The sections on how to install Security Onion are written so that Windows administrators can use them. I don’t need that level of detail. But the end result is that tPoNSM is usable by people unfamiliar with Unix-like systems, so I can’t really fault him for that.

I should add a caveat here. Richard Bejtlich likes my books. He’s said so. At very great length. Repeatedly. Even though I’ve misspelled his name. More than once. And now I’m reviewing one of his books. I am predisposed to like his work because it’s hard to dislike someone who likes you. But if this book wasn’t good, I wouldn’t bother to review it. I read far more books than I review, and I would much rather not write a review than write a negative review. And anyone familiar with my work can assure you that I do not suck up.

tPoNSM is useful for anyone interested in the security of their own network. Many of the tools can actually be used outside of a security context, to troubleshoot network and system problems. Deploying NSM not only means you can quickly identify, contain, and remediate intrusions, it gives you insight into the network as a whole. You might start off looking for intrusions, but you’ll end up with a more stable network as a side effect.

You can buy the book at any bookstore. If you want to reward the author, buy it directly from No Starch Press and use coupon code NSM101. You’ll get both the print and electronic versions, and Richard will get a couple extra dollars.

Now if you’ll excuse me, there’s another dozen or so episodes of Burn Notice that need watching.

Last weekend I amused myself by tweeting:

Stupid contest: give the title of the tech book I’ve just started writing. If correct, you get to make me a sandwich.

The answer is Sudo Mastery. Obviously. Although there were some amusing and hopeful alternative suggestions.

As with DNSSEC Mastery, I’m making the in-progress draft available for purchase. I did this with DNSSEC Mastery, and people seemed pleased. So, let’s try this again.

You can buy Sudo Mastery now for $7.99. You get access to the early drafts of the book, the version sent for tech review, and the final version. Incomplete drafts are in PDF format, because I can’t see anyone loading an incomplete book onto their e-reader. The finished book will be in PDF, epub, and mobi.

The in-progress version also includes various markup and reserved pages for physical layout, as well as whatever notes I make during the writing process. The version currently on the site includes the outline for the part of Chapter 3 that I haven’t written yet.

When the book is complete, I will raise the price to $9.99. Buying early gets you a 20% discount.

You can also choose to overpay for the book (or any title on the site) if you desire. Because some of you want to. If you’re trying to make a go of being a writer, rule number 1 is: when someone puts money in your hand, you take it and say “Thank you.” There’s even an option to just give me money without getting anything, because people have said that they want to do that.

I will announce new versions of the book via Twitter. You’ll get an update every few chapters. As it’s a Mastery book, they’re short chapters. I’ll announce major milestones, just as a complete manuscript or completed tech edits, here.

I’m doing this for a couple reasons. One, people liked it last time. I get paid early, which is always nice. Feedback is good. And I expect that, once again, only my hardcore fans will buy an incomplete book. Some people will look at this as a 20% discount for preorders, which is fine too.

When you buy the book doesn’t matter to me. Sales made via third-party ebookstores are better for my career. They book the book’s sales rank and increase the book’s visibility. But the only people who will be interested in this offer are those interested enough in my work to stalk me via my blog or Twitter and, frankly, there’s not really enough of you to directly impact my Amazon sales rank.

You all do impact my sales, mind you, but indirectly. Every time you tell someone that they need to read one of my books, every time you leave a positive review on a book, every time you slap your boss and say “Dammit, make the support guys read this book so they leave me alone,” you help me a great deal. And that support drives bookstore rankings.

But as far as my stupid contest went: the best answer by far came from Darrin Chandler, who said:

Liked Absolut OpenBSD, but have since switched to Svedka. The morning afterboot still hurts.

I’m still in pain from that one.