Idea for second book -- "Stay safe online: computer security at home"

  • Article

Jesper and I are planning a second book. We've noticed a distinct dearth of useful, actionable, and non-scare-mongering computer security resources for home users. A few of the books we've seen are hopelessly bad, really. Either they rapidly forget their audience and get way too technical, or they indulge in religous arguments, bashing Microsoft for no good reason. Why would that be interesting to the average non-technical home user?

We want to take a different approach. Here's a basic outline, which I'll fill in over the next couple weeks:

  • Introduction
    • Purpose and audience
    • Security basics
    • Understanding the tradeoff
    • Recognizing threats
    • Risk management
  • Ensure your computer is up to date
  • Protect against malware
  • Protect your users
    • Running with least privilege
    • How to use administrative privileges properly
    • Software that requires administrative privileges and good alternatives
  • Safe home networking
  • Surfing safely
  • Installing applications properly
  • All you need to know about passwords
  • Protecting your children online
  • How to spot snake oil
  • What if the worst happens?

Unlike other books, we have no illusions that home users are interested in managing their computers. All they want to do is use them! And our chapter on protecting children will have a decidedly different slant. We're generally opposed to spying on kids, thinking that it's better to build an environment of trust.

We're thinking that if we could get this book into places like Costco, Sams Club, Best Buy, Circuit City, and so on, it would sell pretty well. What do you think of our idea? Is there a market for this book? Would you recommend or buy it for your family, your friends, and your neighbors?

Comments

  • Anonymous
    January 01, 2003
    Steve Riley & Jesper M. Johansson, twee microsoft security iconen en topspreakers op TechED's...
  • Anonymous
    July 25, 2005
    Love the idea! if security become a habbit in the home, hopefully that will carry forward into schools and workplaces.
    Yes, I would love to see a book like this for my friends and family.
  • Anonymous
    July 25, 2005
    Hi Steve, this sounds like a great idea!
    Especially if you can make it non-technical. I always try to explain to my friends what the advantages are of running with the least priveliges, SP2, etc. so it safes me lots of time if I just can reccomend your book to them! :)
  • Anonymous
    July 25, 2005
    The comment has been removed
  • Anonymous
    July 25, 2005
    I think the book is a brilliant idea. As you suggest, there isn't a well written/target specific book on the market. It's funny, I have been thinking about this for the last couple of days. Obviously you guys have been as well, but for a bit longer. The content of the book for me has come from the question, "Do we spoon feed our users too much?" I would suggest, yes. Look at the wonderful tool Group Policy, is that not security by obscurity? We use Group Policy to implement our company policies, determining that certain areas of the machine don’t require user intervention, so we turn it off. Great, works really well. But what happens when that user goes home turns on their machine running with full admin rights with a permanent broadband internet connection? They have complete access to all those “nasties” they don’t at work. As shown with the Microsoft Defence-in-Depth model, it has to start with people, policies and procedures THEN products. I believe our users need to know why we turned that off, rather than just deciding for them. This is why in my opinion the main aim of the security folk, has to be education. Microsoft realise this, which is why they run free security summits. Steve and Jesper do as well, hence the idea for the second book (love the first by the way! :) ) If you don’t agree with me, or think I am a complete id10t for thinking our users need to know anything, then voice it, difference is the key to progression.

    Steve, I look forward to chatting to you and getting my book signed at TechEd Australia.

    John Sandiford
  • Anonymous
    July 31, 2005
    Hmmm I'm not so sure... to be honest I think home users are likely to buy a computer book full stop. Let alone a book on a topic they are very likely intimidated by, not because they don't want to know more, but because they feel that it would go over the heads. $80-$100 (that's what your average tech book costs in Australia) is a lot of money for someone to spend who really at the end of the day wants to send a few emails, look at a few webpages and type up their resume.

    You would do a lot better to try and target the support organisations that these home users call when they have problems. The PC manufacturers, the ISP's, even Microsoft. Some of the garbage advice I've heard come from the 1st level support people in these companies astounds me.

    If someone doing that for a job isn't inclined to educate themselves in the ways of secure computing, what chance have we got to get an end user educated.

    Don't get me wrong, it is a great idea, and something that needs to be done, but I'm just not sure about the means of delivery. Maybe a series of articles that was syndicated in the average PC mags or one of those mini books that you can pick up for $10 from newsagents.

    Looking forward to seeing you in a few weeks at Tech Ed Australia :-)
  • Anonymous
    August 02, 2005
    n00dles, you make a good point about reluctance of our target audience. That's why we're working with the publisher to try to get a couple things done. First, this book won't be priced at US$50 -- more like US$25. Second, we want to work with manufacturers like Dell and HP to get them to buy the book and include it with every system they sell.

    Level 1 tech support...sigh. When you reward people not for the quality of the assistance they give but for the quantity of calls they complete, you get what you pay for -- a lot of bad experiences.
  • Anonymous
    August 06, 2005
    The comment has been removed
  • Anonymous
    August 12, 2005
    I'd like to see a clear explanation of how to set up LAN file sharing in a Windows XP and mixed environment.
  • Anonymous
    August 13, 2005
    I think it’s a great idea. I see and added bonus to for IT professionals who get called at home by friends and family when they’re in trouble (and we all know they will get in trouble). They would be my primary target to recommend the book too.

    PS: Why not include a DVD with the book with not only tools that they can use but a movie of the two of you going over the material. It would be good for those who don’t want to read the book from cover to cover.
  • Anonymous
    August 15, 2005
    The comment has been removed
  • Anonymous
    August 26, 2005
    Yes, there's a definate requirement for this book in the marketplace. Can't wait for it. PS. Saw you today with Jasper in the "Debunking Security Myths" session of Tech Ed Asia - very informative and entertaining; a great way to present! Keep up the good work...
  • Anonymous
    August 29, 2005
    Yes I believe it is a good idea to publish the books for home users. However, I have the same view as most here that the target audience is non technical and it is necessary to start them off with something very basic. Perharps it would be best to focus more on the threats of internet and not on providing instruction on security the home PC. looking at the topic, I think the chapter 'protect your users' might be a bit heavy.
  • Anonymous
    September 12, 2005
    The comment has been removed
  • Anonymous
    October 19, 2005
    I think this is a fine idea. I have seen a couple of similar books but nothing of any substance or merit. Too much focus on the dangers, not enough on the solutions and practicalities.

    I would definitely buy this book

    - as a gift for my parents!
    They are both bright intelligent people who can understand technical points if put across properly. They are just unfortunate to have been born 20-odd years too early to have grown up with this stuff. They live at the other end of the coutry so it's not too easy to explain things to them - I end up fixing the immediate issue at hand every time.

    When I work with businesses on the 'management' side of their IT such as formulating Acceptable Use Policies, and doing training generally, I always try to include advice that people can also apply at home. For example, you could say "don't put everyone in the To: field of an email, use BCC: because our corporate policy says so to protect the privacy of our clients". I would rather point out that this is a good practice anyway and helps to reduce the exposure of all the addresses when one of your recipients gets infected with a worm. It can seem weird when they send a party invitation by email and they only seem to be inviting one guest, though...

    Having seen some of your seminars (via ItsShowTime - thanks to Rafal for pointing it out in the first instance at one of his events) I am sure you will do a good job of making this topic accessible. Good luck on this much-needed project!

    Incidentally, over at www.SecurityForums.com (SFDC) they have book reviews which get pretty widely read - it might be worth getting them to review it once it's available so that more people get to know about it.