As for the review copy, I might be able to do that with the 2nd ed of my own Wiley book but it’s unlikely it will happen with this multi-author Springer one—believe it or not, I’ve had to negotiate extensively even to get the promise of a single copy of it for myself as a contributing author, and never mind any mention of royalties.

In the end I only wrote this chapter for Springer (but retaining the (C)) because one of the editors is a friend and because I had something I wanted to write anyway that I hope readers will appreciate.

(and if you can get Springer to send me a review book, I can also blog it and write a amazon review of this book project

Gruss
Bernd

I am glad that several of you cared about that last bit, which is also the one dearest to my heart. Yes, we have a duty to educate the general public, but without preaching to them. Personally, I’ll keep doing my best with forthcoming writing and speaking engagements.

@Bernd: extra thanks for the time and thought you put into your detailed and perceptive comments! If and when I do a second edition of the book, you’d make a valuable technical reviewer if you wanted to.

IT security issues have become ubiquitous since virtually any (non) action in daily life can potentially imply juridical or financial consequences, and even the most banal activities cause privacy concerns when ‘observed’ by computers. These security issues should be identified and highlighted to the public.

This misinterprets the evidence. The suggestion is that non-customers are not persuadable to pay a substantial extra premium for a promise of good security. Damn right - people who care about security have ample reasons to be a very cynical lot and not believe such claims. Doesn’t mean they don’t value it.

Re: You may design strong security and privacy protection features only to see that your users don’t actually care and just leave them all disabled for simplicity.

Not necessarily. I have left my phone logon protection disabled, not because I don’t care, but because the security risk is low, and I can slightly increase my privacy by making any record of my calls and movements deniable. Other people may do the same with their home computers and wireless routers. These are cases where so-called privacy “protection” may actually reduce privacy.

I like the historic intro, but if you consider this being a chapter in a much longer book you might repeat a lot of the history and thereby wasting at least 2 pages. I always find this annoying in multi-author books.

You cite some books by author and not more clue (title).I would add the book titles in the text to avoid people to refer to your bib index to know which you mean.

On page 5 you use the term “risk” as likelihood of occurrence, which is just one (less often used?) possible meaning. It could also mean “possible threat outcome” with more attributes like likelihood, cost of mitigation and severity of damage. (But I do agree that it is very important to make clear it is always a trade off, there is no 100% security)

Page 9 - backup haha: you might need to add some solutions here. For example apples iPods have the property that for most management functions you need to sync them which automatically backs up, this is a good solution, devices should always backup the data as a natural process.

You should maybe mention the term multi factor authentication.

2.2 repeats a bit the location concerns of 2.1

I think for technologies Bluetooth, NFR and WLAN are a large risk contributor, they are missing here.

Another large technology risks are zombies: if million of devices can be controlled by an attacker (worm) and the owners don’t care about updates (why should anybody update the firmware on a 5$ kitchen clock) then this is a major threat to infrastructures (DDOS)

2.3 The RFIDs in the European travel pass have an interesting property you might mention: the OCR of the number in order to authenticate for reading basic data (i.e. w/o visual contact you cant identify a person. this assumes if you let somebody look at your pass you agree with identification) (unless you did your crypto wrong like the Dutch with too small keys)

For section 3.2 you might want to mention the OLPC project which tries to implement a software protection system on the laptops which allows children who cannot read(!) to handle it but still allow open access to the devices: http://wiki.laptop.org/go/OLPC_Bitfrost

Classical usability problems are default-open WLANs, Bluetooth Pins or SSL Certificate Dialogs.

BTW: I had actually quite some more suggestions and while reading the next page i deleted them from the nodes since you mentioned them. Therefore I am quite pleased with the text.

I miss some statements at the end what needs to change for people to get sensitive about the problems. However, I am not sure what actually can be done beside preaching.

Greetings
Bernd