With a single bound it was free!

My book on Security Engineering is now available online for free download here.

I have two main reasons. First, I want to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; I believe many publishers (especially of music and software) are too defensive of copyright. I don’t expect to lose money by making this book available for free: more people will read it, and those of you who find it useful will hopefully buy a copy. After all, a proper book is half the size and weight of 300-odd sheets of laser-printed paper in a ring binder.

I’d been discussing this with my publishers for a while. They have been persuaded by the experience of authors like David MacKay, who found that putting his excellent book on coding theory online actually helped its sales. So book publishers are now learning that freedom and profit are not really in conflict; how long will it take the music industry?

47 thoughts on “With a single bound it was free!

  1. Hi – good to talk to you at Scrambling for Safety btw.

    I see a possible contradiction here. In the first para you point out that even though you have made the download available, the book is still a desirable item for convenience reasons. But the music industry who you reference in the second para have no such convenience to take advantage of. A stack of MP3 files is more convenient than a CD – I can play them wherever I am, I don’t need to find shelf space, and so on. If I buy a CD, I “rip” the data and put the CD in storage, likely never to be seen again. I understand why I might go and buy a book that I already have as a free download – but once I’ve downloaded the music, why would I buy a CD?

    Thanks for putting Security Engineering online!

  2. Hi Ross,

    First, thank you for making the text available for free!

    Could I ask why you’re not usnig a creative commons license to define what can be done with it? (Non-commercial, attribution) seems like its probably a good fit.

    And lastly, any chance of offering a single-file version for easier searching across the entire text?

  3. I have fixed the bibliography link – thanks for pointing that out.

    I’ve done what the publishers were happy with. They wantd it made available in individual chapters rather than a single pdf, and they won’t be drawn on a Creative Commons license. I expect that after a year or two, once the roof doesn’t fall in, these details will get tidied up.

    Meanwhile it gives almost all that students need. I can say ‘go read chapter 7 for Tuesday’s class’ and if they haven’t, excuses will be harder to come by …

  4. Fantastic! This was the book that got me interested in security, and remains the most comprehensive book on security I’ve come across. Unfortunately, it is becoming a bit long in the tooth now – I don’t suppose there’s any news on an updated revision of the book?

  5. Hiu Ross, thanks for the free material. I do have some criticism for you on the password section. In it you talk about passphrases but I think it should have been changed to just phrase.
    “The green group was told to think of a passphrase and select letters from it to build a password. Thus, “It’s 12 noon and I am hungry” would give I S12&IAH.”
    If it was truely a passphrase the user would have used the phrase “It’s 12 noon and I am hungry” and not just the initials. So the statement you made “So passphrases and random passwords seemed to be about equally effective.” would not be true if you do the math. I says that because I have broken ALOT of passwords. The most effective means is using a rainbowtable instead of a bruteforcer. And any password/passphrase over 8 characters starts to become impratical in breaking. Passphrases IMO are better as they are much easier to remember and are significantly longer then a password. The length of the password relates directly on how long it takes to break it not the complexity. For example if you have a password that has numbers, letters (upper and lower) and special characters but is only 8 characters long, it is extremely feasable to break it in minutes using rainbowtables. But a passphrase 15 characters long that is all lowercase and using spaces will take millions of years to break in comparison. Let me know if you are interested in the math.

  6. I do plan to produce a second edition but I haven’t yet signed anything. I might do one next academic year, or write a book on something else next year and then do Security Engineering 2e in 2007-8.

    Meanwhile there’s some new material on the book website. Maybe I should think of consolidating this into an ‘update chapter’ describing the main things that have changed since 2001. The “War or Terror” has in some sense changed everything but in many senses has changed nothing. The biggest change to online security has been that hackers now don’t work for fun as much as for profit; we’ve seen the emergence of a black economy with diversified specialists doing malware, spyware, spam and phishing. Security usability is much more important, and maintainability too. Some technical fields have moved on; chip tampering is now more about optical probing than mechanical probing, and real cryptosystem exploits are more about API and system weaknesses.

    The elephant in the living room is of course Trusted Computing and Vista. Will Microsoft get remote attestation to work? I am highly sceptical. But maybe we just have to wait and see. This question more than any other gives me pause about committing to a publication date.

  7. I also already have your book in paper form. Thanks for writing it, the amount of experience you share with your readers is immense.

    I’m also sure that the paper form is still the best way to read it, but have you considered what happens if somebody really produces a device which makes e-texts more convenient to read?

  8. First, thanks so much for releasing this online, it makes it much easier to search for things.

    Secondly, don’t your publishers know how easy it is to combine the chapters?

    pdftk *.pdf cat output combined.pdf

    I certainly prefer it combined. It took me only a few minuted with the “Download Them All!” Firefox plugin and pdftk.

  9. I enjoy using dead tree form more than using PDF, when I have the choice. I now have that choice with Menezes, van Oorschot, Vanstone “Handbook of Applied Cryptography” (“MOV”) and Anderson “Security Engineering”, which both rest on a shelf within reaching distance.

    I concur that “Security Engineering” (like MOV) deserves a fresh revision.

    By the way, Prof. Anderson, I still have a few dozen corrections for you. Most of them are typos or other obvious editing corrections.


    Zooko O’Whielacronx

  10. It should be useful to security departments who can now point their customers to a reference on the web to support whatever piece of advice they have just given.

    I predict the usual amount of notice will be taken though.

  11. I am curious if the specific license agreement that the online version is offered in can be documented. The term “freely available” has entirely different meanings for different people, and to avoid lawyers getting in the way you want to have clear documentation (IE: a license).

    In Canada there is a collective society called Access Copyright that would assume that they should be given the right to collect royalties “on your behalf” for any Canadians that access your “freely available” book.

    As to the book/CD analogy: Getting a Red-Book standard audio CD with higher quality audio is for me far more convenient than an “internet download”. I seem to either be offered unauthorized/infringing files, low quality MP3 files, or defective DRM’d files (I run a FLOSS only shop, so have no “legal” way to access DRM’d files). Very few sites offer the files in FLAC or similar standards-based non-defective lossless file format. Whenever I get these files I tend to back them up to DVD/CD anyway, so getting them on CD in the first place is still very convenient. It is the old economy labels that are making their physical media format less convenient and less valuable by adding various types of defects, not something that is inherent in the underlying format.

  12. I’m afraid that I cannot provide further clarification on license terms at this time. I asked Wiley whether I could put the book online and that was finally OK. I asked them to consider a Creative Commons license but they won’t give any commitment on that. Maybe their lawyers are arguing about which brand or flavour of license should become company policy. I don’t think it’s helpful to spend any more time pestering them.

    The important thing is to keep on teaching the marketing department that you can put technical books online and not see the sales go down. Once that lesson reaches the boardroom, and the directors see all their competitors doing it too, the lawyers will be told to get their act together.

  13. One small step for publishing, one giant step for security-kind. Thank you, I look forwards to second editions and new books in print too!

    WIll there ever be an FAQ for dealing with Civil Servants and privacy issues?. i.e. dealing with the DH on National Care Record (NHS), or RIP and the Home Office?. Hey ho.

  14. Because of the recommendations of others I had already purchased your book and count on it heavily. Making it available in PDF format is a boon for me. Thanks!

    It may be a generational thing, but I have a number PDFs of books that I own. I use PDFs for ready research since they are on my computer and easily searchable. But I greatly prefer the printed page when I am trying to truly understand a subject, and important works I purchase for retention in my library.

  15. After looking into the PDF version for a while I decided there was no way I should miss this and ordered the book. And thanks to Lufthansa’s Miles&More program it was almost free too 🙂

  16. Thank you Ross. Having worked for a (leading) dedicated Open Source company for many years now – seeing the pricipal of democratization of content yeild valid business and profit models outside of software warms my heart.

    Case in point – I had not owned a copy of your book before now. Your news via this blog and the 5 other (exceptionally strong) recommendiations from associates regarding your book because of the news that it was available for download encouraged myself, and no doubt others, to purchase.

    Thank you.

  17. Wonderful. I have enjoyed this. Thank you so much for making it available online.

    I will be getting myself a proper book soon because it is handy to have one for reference when I am not in a ‘digital’ environment. I have already recommended it to several people involved in systems security.

    Having it online serves another great purpose – when I am travelling and I want to share something from the book with someone this is another great way to do it.

    Thank you once again.

  18. There appears to be a typesetting bug in the PDF for chapter 5 “Cryptography”. In the description of the Birthday Theorem (section the symbol under the square root sign is missing.

  19. Great development here. I already have the book in paper form though. It was the basis of a class I took a couple years ago from Carlisle Adams in Ottawa. I highly recommend it.

  20. Quote from chapter one:

    “Thus, we can talk about the integrity of a database of electronic warfare
    threats (it has not been corrupted, whether by the other side or by Murphy), but the
    authenticity of a general’s orders (which has an overlap with the academic usage).”

    Does this sentence sound right? I don’t think it reads as you intended it to, Ross.

    Thanks for doing this, I find your book very engrossing and not at all gross!

  21. Ross

    Many thanks to you and the publishers for putting it up.

    One thought, how about doing a future online version as a Wiki which realy becomes a “collective commons” of all those who contribute (I guess the publishers legal bods would have heart problems at the thought ;).

    As I have a first edition, I realy should get you to sign it some time 😉

  22. Wow, this is great, I bought the book years ago, lent it to someone and didn’t it it back.

    I’m trying to reformat the pdf files using ghostscript and pstops to get a 2-up printout and am having trouble–either ghostscript has a problem or the pdf’s are malformed in some way. I haven’t yet tried examining it in detail since I’m not a postscript wizard. But if anyone cares, the pstops parameters (from Peter Selinger’s excellent psdim program) should be:

    pstops “2:0@0.77L(8.47in,-0.29in)+1@0.77L(8.47in,4.76in)”

  23. Thanks for putting this online! I bought a paper version a couple of years back, but I’m downloading a copy so I can have it in digital form as well.

    I’ve been recommending this book to people since I got it. It’s really somewhat of a masterpiece on the subject.

    Thanks again!

  24. Thank you, Ross. Your book is a really very useful one and rather expensive for south american students (almost inaccessible!)

    Be sure that you are even further contributing for the enhancement of information security! Thank you!

  25. Great stuff, well written and easy to follow. Highly recommended. Thanks a lot for making it available to everyone.

  26. Thank-you for making this avaible!

    Two requests:

    1. Could the Table of Contents pdf file also be posted?
    2. Could the Index pdf file also be posted?


  27. I’ll add my thanks, too. I have the paper book, but I do a lot of my work remotely, with my laptop. It’s *wonderful* to have most of my reference materials available on the machine, rather than back in my office or at home on a bookshelf.

  28. Pingback: Jamik
  29. Living in Ghana, I am not able to have access to many IT security books but putting your book Security Engineering online is too good to be true- thanks a million for that. I am now trying to order the Second Edition through a friend in the US even though I have not finshed with the first yet. This is just wonderful, perfect.

  30. I personally think it is unfair to put this Security Engineering book online for free and it is unjustice with those who pay 45 pounds. I have a query with Dr. Ross Anderson, can he give second edition to me free since I paid my one day pay to buy his old book.

  31. It is very kind of you to have allowed free access to this book, I will definitely buy the printed copy. Because I wish to have it; it is a great book.

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *