Olivier Langlois's blog

The content of this book slightly overlap the content of the author previous book (Secrets and Lies: Digital Security in a Networked World) but presents the material with a different angle. An angle with the perspective of a security expert that witness security measures taken by governments in reaction of the 9/11 terrorism attack and wants people to understand the absurdity of some of these measures.

It is not technical at all and does not necessitate any particular background to understand and enjoy. The author explains clearly how to make a risk assessment of something that you want to make more secure and then evaluate the cost of the security measures. Only when you have that data, you can evaluate if the added security is worth it.

These explanations are backed up with concrete examples such as evaluating the risk to make purchase with a credit card over the internet. Other examples include the absurdity of securing a lunch in a company refrigerator because the potential loss if having a lunch stolen does not justify securing it. The author also explains that even with technologies that looks very accurate such as facial recognition with an error rate of, let’s say, 0.0001 % are totally ineffective when they have to control a huge number of persons like a stadium crowd because even with this accuracy, they would create an unmanageable amount of false positive alerts.

The author also elaborate about why you should question the motivation of a security provider when it is a third party and link this with how people fears can be exploited to introduce invasive, excessively expensive and inefficient security measures. I think that the goal of the author was to make people more critics about security questions and my opinion is that his goal has been successfully achieved.

This book is not very technical but it is very interesting to read and is very good to convey the basic principles of security. This book will teach you why security is more important than ever with the advent of computers and internetworking. It will present you potential attackers, their motivations and their resources. It shows how to add security to a system by doing some analysis of how the system could be attacked. After reading this book, you will have a better understanding of what it means to make a digital system secure.

Following Carlos Fernndez feedback, he pointed out that in the function CGradient::InsertSort() used by the tutorial sample program, the variable j that was declared inside the for statement was used outside of the for loop block. Strangely, my compiler has never complained about the problem but since it was trivial to fix, I just moved the j variable declaration outside the for loop statement.

You can read about that tutorial at:

Alternative to MFC for GDI programming tutorial

That is a question a co-worker of mine asked. I did remember that I used to know what it does mean, but earlier today when I came back home, I have double checked in my COM reference book and I have found a subsection dedicated to the subject.

COM deals with multithreading by defining an apartment concept. 2 Apartment types exist: The single threaded apartment (STA) and the Multi-threaded apartment (MTA). One of the numerous COM class attributes is in which apartment type objects of that class are allowed to run. 3 values are possible for that attribute: STA, MTA or both.

When a thread wants to access a STA object, it will go through the same process than if the object was remote and will go through a proxy object, marshalling/unmarshalling and the thread residing in the remote STA apartment which must have a message loop, will receive the request. This whole process adds a lot of overhead and for that reason, COM allows to create a custom marshaller. Your COM object would have to implement the interface IMarshal. One example of a custom marshaller would be to serialize the whole object state to create an exact copy of it on the proxy side so once unmarshalled, all access to it would remain local.

Now, (I know the short explanation is starting to be long), in the case that a developer went through the process of making his COM class thread safe to support MTA, it would be a good idea to have a custom marshaller to just serialize a raw pointer to it for a safe direct access even when it reside in a STA apartment. This situation is so common that COM provides the custom marshaller that does it. It is the famous Free Threaded Marshaller and since COM does not allow inheritance to reuse code, the only way is to aggregate it to your COM object with the function CoCreateFreeThreadedMarshaler().

Aggregating a COM object just mean that when QueryInterface is called for getting an interface that the outer COM object does not support, it will forward it to the IUnknown::QueryInterface of the aggregated object.

This book is extremely complete. It briefly covers the history of cryptography. It describes the political implications of cryptography and finally it shows how cryptography can be used in applications and presents the different cryptographic algorithms.

The algorithm section starts with a number theory primer.Honestly, I have found it a little bit too thin to learn all the needed background to fully understand the algorithms but on the other side, you cannot expect a simple 600 pages book to provide that background in the latest mathematical research number theories. It has at least the merit that it did stimulate my curiosity about number theory when I have read the first edition of this book.

Another point that makes this book interesting is that at the end of each chapter presenting the various algorithms in a given category, you will get Bruce Schneier opinion on which algorithm is the best. Of course, this type of information usually become outdated real fast but it is interesting to follow his thought process and test his predictions as the book grow older.

So, if you are looking for your first cryptography book, it should be this one.