With a single bound it was free!

August 25th, 2006 at 15:01 UTC by Ross Anderson

My book on Security Engineering is now available online for free download here.

I have two main reasons. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I believe many publishers (especially of music and software) are too defensive of copyright. I don’t expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy. After all, a proper book is half the size and weight of 300-odd sheets of laser-printed paper in a ring binder.

I’d been discussing this with my publishers for a while. They have been persuaded by the experience of authors like David MacKay, who found that putting his excellent book on coding theory online actually helped its sales. So book publishers are now learning that freedom and profit are not really in conflict; how long will it take the music industry?

Entry filed under: Banking security, Cryptology, Hardware & signals, Internet censorship, Legal issues, Meta, News coverage, Security economics, Security engineering

47 comments Add your own

  • 1. Paul Crowley  |  August 25th, 2006 at 15:17 UTC

    Hi – good to talk to you at Scrambling for Safety btw.

    I see a possible contradiction here. In the first para you point out that even though you have made the download available, the book is still a desirable item for convenience reasons. But the music industry who you reference in the second para have no such convenience to take advantage of. A stack of MP3 files is more convenient than a CD – I can play them wherever I am, I don’t need to find shelf space, and so on. If I buy a CD, I “rip” the data and put the CD in storage, likely never to be seen again. I understand why I might go and buy a book that I already have as a free download – but once I’ve downloaded the music, why would I buy a CD?

    Thanks for putting Security Engineering online!

  • 2. Patroklos Argyroudis  |  August 25th, 2006 at 15:47 UTC

    Thanks for making this available. I do own a copy of the book, but a PDF version is useful for printing handouts, etc. Btw, the bibliography link seems to be broken.

  • 3. .$author.  |  August 25th, 2006 at 15:47 UTC

    [...] Ross Anderson announced today that his book “Security Engineering” is available for download at no cost: I have two main reasons. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I believe many publishers (especially of music and software) are too defensive of copyright. I don’t expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy. After all, a proper book is half the size and weight of 300-odd sheets of laser-printed paper in a ring binder. –> [...]

  • 4. Adam Shostack  |  August 25th, 2006 at 16:01 UTC

    Hi Ross,

    First, thank you for making the text available for free!

    Could I ask why you’re not usnig a creative commons license to define what can be done with it? (Non-commercial, attribution) seems like its probably a good fit.

    And lastly, any chance of offering a single-file version for easier searching across the entire text?

  • 5. Joseph Bruno  |  August 25th, 2006 at 16:13 UTC

    Was it difficult to persuade your publishers?

  • 6. Ross Anderson  |  August 25th, 2006 at 16:36 UTC

    I have fixed the bibliography link – thanks for pointing that out.

    I’ve done what the publishers were happy with. They wantd it made available in individual chapters rather than a single pdf, and they won’t be drawn on a Creative Commons license. I expect that after a year or two, once the roof doesn’t fall in, these details will get tidied up.

    Meanwhile it gives almost all that students need. I can say ‘go read chapter 7 for Tuesday’s class’ and if they haven’t, excuses will be harder to come by …

  • 7. Jeff Schroeder  |  August 27th, 2006 at 12:06 UTC

    Thankyou for releasing such a well done book online for free! I will certainly be adding a (paperback) version of this to my computer library.

  • 8. Andrew  |  August 28th, 2006 at 00:06 UTC

    Fantastic! This was the book that got me interested in security, and remains the most comprehensive book on security I’ve come across. Unfortunately, it is becoming a bit long in the tooth now – I don’t suppose there’s any news on an updated revision of the book?

  • 9. Tim  |  August 28th, 2006 at 06:19 UTC

    Hiu Ross, thanks for the free material. I do have some criticism for you on the password section. In it you talk about passphrases but I think it should have been changed to just phrase.
    “The green group was told to think of a passphrase and select letters from it to build a password. Thus, “It’s 12 noon and I am hungry” would give I S12&IAH.”
    If it was truely a passphrase the user would have used the phrase “It’s 12 noon and I am hungry” and not just the initials. So the statement you made “So passphrases and random passwords seemed to be about equally effective.” would not be true if you do the math. I says that because I have broken ALOT of passwords. The most effective means is using a rainbowtable instead of a bruteforcer. And any password/passphrase over 8 characters starts to become impratical in breaking. Passphrases IMO are better as they are much easier to remember and are significantly longer then a password. The length of the password relates directly on how long it takes to break it not the complexity. For example if you have a password that has numbers, letters (upper and lower) and special characters but is only 8 characters long, it is extremely feasable to break it in minutes using rainbowtables. But a passphrase 15 characters long that is all lowercase and using spaces will take millions of years to break in comparison. Let me know if you are interested in the math.

  • 10. Ross Anderson  |  August 28th, 2006 at 08:47 UTC

    I do plan to produce a second edition but I haven’t yet signed anything. I might do one next academic year, or write a book on something else next year and then do Security Engineering 2e in 2007-8.

    Meanwhile there’s some new material on the book website. Maybe I should think of consolidating this into an ‘update chapter’ describing the main things that have changed since 2001. The “War or Terror” has in some sense changed everything but in many senses has changed nothing. The biggest change to online security has been that hackers now don’t work for fun as much as for profit; we’ve seen the emergence of a black economy with diversified specialists doing malware, spyware, spam and phishing. Security usability is much more important, and maintainability too. Some technical fields have moved on; chip tampering is now more about optical probing than mechanical probing, and real cryptosystem exploits are more about API and system weaknesses.

    The elephant in the living room is of course Trusted Computing and Vista. Will Microsoft get remote attestation to work? I am highly sceptical. But maybe we just have to wait and see. This question more than any other gives me pause about committing to a publication date.

  • 11. ac  |  August 28th, 2006 at 09:42 UTC

    I also already have your book in paper form. Thanks for writing it, the amount of experience you share with your readers is immense.

    I’m also sure that the paper form is still the best way to read it, but have you considered what happens if somebody really produces a device which makes e-texts more convenient to read?

  • 12. Jesse Jarzynka  |  August 28th, 2006 at 18:24 UTC

    First, thanks so much for releasing this online, it makes it much easier to search for things.

    Secondly, don’t your publishers know how easy it is to combine the chapters?

    pdftk *.pdf cat output combined.pdf

    I certainly prefer it combined. It took me only a few minuted with the “Download Them All!” Firefox plugin and pdftk.

  • 13. Zooko O'Whielacronx  |  August 28th, 2006 at 19:27 UTC

    I enjoy using dead tree form more than using PDF, when I have the choice. I now have that choice with Menezes, van Oorschot, Vanstone “Handbook of Applied Cryptography” (“MOV”) and Anderson “Security Engineering”, which both rest on a shelf within reaching distance.

    I concur that “Security Engineering” (like MOV) deserves a fresh revision.

    By the way, Prof. Anderson, I still have a few dozen corrections for you. Most of them are typos or other obvious editing corrections.

    Regards,

    Zooko O’Whielacronx

  • 14. peter  |  August 28th, 2006 at 20:43 UTC

    It should be useful to security departments who can now point their customers to a reference on the web to support whatever piece of advice they have just given.

    I predict the usual amount of notice will be taken though.

  • 15. Russell McOrmond  |  August 28th, 2006 at 20:48 UTC

    I am curious if the specific license agreement that the online version is offered in can be documented. The term “freely available” has entirely different meanings for different people, and to avoid lawyers getting in the way you want to have clear documentation (IE: a license).

    In Canada there is a collective society called Access Copyright that would assume that they should be given the right to collect royalties “on your behalf” for any Canadians that access your “freely available” book.

    As to the book/CD analogy: Getting a Red-Book standard audio CD with higher quality audio is for me far more convenient than an “internet download”. I seem to either be offered unauthorized/infringing files, low quality MP3 files, or defective DRM’d files (I run a FLOSS only shop, so have no “legal” way to access DRM’d files). Very few sites offer the files in FLAC or similar standards-based non-defective lossless file format. Whenever I get these files I tend to back them up to DVD/CD anyway, so getting them on CD in the first place is still very convenient. It is the old economy labels that are making their physical media format less convenient and less valuable by adding various types of defects, not something that is inherent in the underlying format.

  • 16. Ross Anderson  |  August 28th, 2006 at 22:38 UTC

    I’m afraid that I cannot provide further clarification on license terms at this time. I asked Wiley whether I could put the book online and that was finally OK. I asked them to consider a Creative Commons license but they won’t give any commitment on that. Maybe their lawyers are arguing about which brand or flavour of license should become company policy. I don’t think it’s helpful to spend any more time pestering them.

    The important thing is to keep on teaching the marketing department that you can put technical books online and not see the sales go down. Once that lesson reaches the boardroom, and the directors see all their competitors doing it too, the lawyers will be told to get their act together.

  • 17. .$author.  |  August 28th, 2006 at 22:48 UTC

    [...] I just read at Light Blue Touchpaper that one of my top ten books of the past ten years is now available online. Now you have no excuse not to read this incredible book (reviewed here). It seems funny that the blog commenters asking about making a single .pdf have not heard of Pdftk.Thanks to jimmythegeek for getting this news to me faster than my Bloglines feed. http://taosecurity.blogspot.com/2006/08/security-engineering-book-in-digital.html Filed Under: CP, Security, Book [...]

  • 18. Stu Thomas  |  August 29th, 2006 at 13:44 UTC

    One small step for publishing, one giant step for security-kind. Thank you, I look forwards to second editions and new books in print too!

    WIll there ever be an FAQ for dealing with Civil Servants and privacy issues?. i.e. dealing with the DH on National Care Record (NHS), or RIP and the Home Office?. Hey ho.

  • 19. .$author.  |  August 29th, 2006 at 20:07 UTC

    [...] I’m enthused to hear Ross Anderson has made his book, Security Engineering available online and FREE to download. He explains his reasoning at his website; to reach the widest possible audience, especially among poor students and being a supporter of free culture and free software.  [...]

  • 20. .$author.  |  August 30th, 2006 at 07:46 UTC

    [...] Security Engineering – A Guide to Building Dependable Distributed Systems (via Isotopp). The idea is that you buy it, when you think it’s good, which seems likely to me. [...]

  • 21. Newell  |  August 30th, 2006 at 17:25 UTC

    Because of the recommendations of others I had already purchased your book and count on it heavily. Making it available in PDF format is a boon for me. Thanks!

    It may be a generational thing, but I have a number PDFs of books that I own. I use PDFs for ready research since they are on my computer and easily searchable. But I greatly prefer the printed page when I am trying to truly understand a subject, and important works I purchase for retention in my library.

  • 22. Johannes Berg  |  August 31st, 2006 at 09:51 UTC

    After looking into the PDF version for a while I decided there was no way I should miss this and ordered the book. And thanks to Lufthansa’s Miles&More program it was almost free too :)

  • 23. Michael Ferris  |  August 31st, 2006 at 15:14 UTC

    Thank you Ross. Having worked for a (leading) dedicated Open Source company for many years now – seeing the pricipal of democratization of content yeild valid business and profit models outside of software warms my heart.

    Case in point – I had not owned a copy of your book before now. Your news via this blog and the 5 other (exceptionally strong) recommendiations from associates regarding your book because of the news that it was available for download encouraged myself, and no doubt others, to purchase.

    Thank you.

  • 24. Raghavan  |  August 31st, 2006 at 16:51 UTC

    Wonderful. I have enjoyed this. Thank you so much for making it available online.

    I will be getting myself a proper book soon because it is handy to have one for reference when I am not in a ‘digital’ environment. I have already recommended it to several people involved in systems security.

    Having it online serves another great purpose – when I am travelling and I want to share something from the book with someone this is another great way to do it.

    Thank you once again.

  • 25. Stuart Cunningham  |  August 31st, 2006 at 17:47 UTC

    There appears to be a typesetting bug in the PDF for chapter 5 “Cryptography”. In the description of the Birthday Theorem (section 5.3.1.2) the symbol under the square root sign is missing.

  • 26. J2K  |  August 31st, 2006 at 20:15 UTC

    Great development here. I already have the book in paper form though. It was the basis of a class I took a couple years ago from Carlisle Adams in Ottawa. I highly recommend it.

  • 27. Jeremy  |  August 31st, 2006 at 21:55 UTC

    Quote from chapter one:

    “Thus, we can talk about the integrity of a database of electronic warfare
    threats (it has not been corrupted, whether by the other side or by Murphy), but the
    authenticity of a general’s orders (which has an overlap with the academic usage).”

    Does this sentence sound right? I don’t think it reads as you intended it to, Ross.

    Thanks for doing this, I find your book very engrossing and not at all gross!

  • 28. Clive Robinson  |  September 1st, 2006 at 02:18 UTC

    Ross

    Many thanks to you and the publishers for putting it up.

    One thought, how about doing a future online version as a Wiki which realy becomes a “collective commons” of all those who contribute (I guess the publishers legal bods would have heart problems at the thought ;) .

    As I have a first edition, I realy should get you to sign it some time ;)

  • 29. Paul R  |  September 1st, 2006 at 02:38 UTC

    Wow, this is great, I bought the book years ago, lent it to someone and didn’t it it back.

    I’m trying to reformat the pdf files using ghostscript and pstops to get a 2-up printout and am having trouble–either ghostscript has a problem or the pdf’s are malformed in some way. I haven’t yet tried examining it in detail since I’m not a postscript wizard. But if anyone cares, the pstops parameters (from Peter Selinger’s excellent psdim program) should be:

    pstops “2:0@0.77L(8.47in,-0.29in)+1@0.77L(\8.47in,4.76in)”

  • 30. .$author.  |  September 1st, 2006 at 02:40 UTC

    [...] No word yet on the mp3 version, read aloud by Bruce Schneier. Posted in Security | Trackback | del.icio.us | Top OfPage [...]

  • 31. Nathan  |  September 1st, 2006 at 06:13 UTC

    Thanks for putting this online! I bought a paper version a couple of years back, but I’m downloading a copy so I can have it in digital form as well.

    I’ve been recommending this book to people since I got it. It’s really somewhat of a masterpiece on the subject.

    Thanks again!

  • 32. ThankfulStudent  |  September 1st, 2006 at 09:02 UTC

    Thank you, Ross. Your book is a really very useful one and rather expensive for south american students (almost inaccessible!)

    Be sure that you are even further contributing for the enhancement of information security! Thank you!

  • 33. TJ  |  September 1st, 2006 at 10:56 UTC

    Great stuff, well written and easy to follow. Highly recommended. Thanks a lot for making it available to everyone.

  • 34. J  |  September 1st, 2006 at 17:07 UTC

    Thank-you for making this avaible!

    Two requests:

    1. Could the Table of Contents pdf file also be posted?
    2. Could the Index pdf file also be posted?

    -J

  • 35. John Kelsey  |  September 5th, 2006 at 16:38 UTC

    I’ll add my thanks, too. I have the paper book, but I do a lot of my work remotely, with my laptop. It’s *wonderful* to have most of my reference materials available on the machine, rather than back in my office or at home on a bookshelf.

  • 36. .$author.  |  September 8th, 2006 at 18:44 UTC

    Security Engineering von Ross Anderson frei verfügbar…

    [link=e107_images/newspost_images/security_engineering.png][img]{E_IMAGE}newspost_images/thumb_secu……

  • 37. .$author.  |  September 19th, 2006 at 13:51 UTC

    [...] Free book: Ross Anderson – Security Engineering Ross Anderson’s excellent security book “Security Engineering” is now available for free in a PDF version. [...]

  • 38. .$author.  |  October 19th, 2006 at 14:39 UTC

    [...] And in his blog he also asks So book publishers are now learning that freedom and profit are not really in conflict; how long will it take the music industry? [...]

  • 39. Ian Foster  |  November 5th, 2006 at 05:09 UTC

    I am delighted to see this wonderful book available online.

    I recall that back in 1993, I persuaded my publisher to put “Designing and Building Parallel Programs” online. I think it helped sales considerably. See: http://ianfoster.typepad.com/blog/2006/09/free_books.html.

  • 40. MichaeL  |  November 6th, 2006 at 15:53 UTC

    I always find something new and interesting every time I come around here – thanks.

  • 41. Brian Wiese  |  February 9th, 2007 at 23:20 UTC

    I noticed that the audiobook has been started already for the first few chapters. Might I recommend submitting this book to for others to make contributions of reading the chapters into mp3 format? I’ve used librivox recordings quite a bit for my long road trips, a great way to cover “classical” literature… which I would consider this book to be, even though it is not quite that old yet!

  • 42. Ronald Messino  |  February 5th, 2008 at 19:04 UTC

    thank you for the oportunity to read this book, is perfect!!!!

  • 43. Sheriff  |  August 7th, 2008 at 11:59 UTC

    Living in Ghana, I am not able to have access to many IT security books but putting your book Security Engineering online is too good to be true- thanks a million for that. I am now trying to order the Second Edition through a friend in the US even though I have not finshed with the first yet. This is just wonderful, perfect.

  • 44. carlos  |  August 23rd, 2008 at 17:32 UTC

    thank you for this book

  • 45. Muhammad Naveed Khurshid  |  October 7th, 2008 at 05:26 UTC

    I personally think it is unfair to put this Security Engineering book online for free and it is unjustice with those who pay 45 pounds. I have a query with Dr. Ross Anderson, can he give second edition to me free since I paid my one day pay to buy his old book.

  • 46. thanks  |  December 25th, 2009 at 16:43 UTC

    Thanks …

  • 47. Angel  |  May 26th, 2010 at 09:57 UTC

    It is very kind of you to have allowed free access to this book, I will definitely buy the printed copy. Because I wish to have it; it is a great book.

    Thank you.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

August 2006
M T W T F S S
« Jul   Sep »
 123456
78910111213
14151617181920
21222324252627
28293031